ndk-build error when trying to link with libcrypto.so

[Lance Blais]

Hey, I'm trying to build my code (the VPNC code base) with the ndk-build command, but when I link libcrypto.so from the Android source, I get the below error.

I'm using a mac running 10.8.5 (Mountain Lion), NDK r9 and I followed the all the instructions from the android source page to download and build it.

Any help is appreciated, thanks..

Here is the error:

/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__strlen_chk'
/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld:
/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__strrchr_chk'
/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld:
/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__strchr_chk'
/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld:
/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__sprintf_chk'
/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld:
/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__strncpy_chk2'
/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld:
/Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
error: undefined reference to '__strcat_chk'

[Ali Helmy]

Hey mate,

What does your Android.mk file look like? Can you link it here?

-- 

Cheers,
Ali Helmy

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk...@googlegroups.com.
To post to this group, send email to andro...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-ndk.
For more options, visit https://groups.google.com/groups/opt_out.

[Lance Blais]

Hi, 

I assume you want the one relating to my application. I've actually got a few of them for the other dependencies, but this is the one which tries to link to the Android source.

#

# Android.mk

#

LOCAL_PATH:= $(call my-dir)

include $(CLEAR_VARS)

#

# Build vpnc-debug.h

#

AOSP := /opt/android-platform

LOCAL_CFLAGS += -DCRYPTO_OPENSSL -DOPENSSL_GPL_VIOLATION -fpic 

LOCAL_LDLIBS := -L$(AOSP)/out/target/product/generic/system/lib -lcrypto -lssl -ldl

VERSION:="`cd $(LOCAL_PATH) ; ./mk-version`"

vpnc-debug.c vpnc-debug.h:

make -C $(LOCAL_PATH) $(basename $@)

LOCAL_SRC_FILES:= \

        vpnc-debug.c vpnc.c crypto-openssl.c \

        netbsd_getpass.c  \

sysdep.c isakmp-pkt.c tunip.c config.c dh.c math_group.c supp.c decrypt-utils.c crypto.c

LOCAL_C_INCLUDES += \

$(AOSP)/external/openssl/include/ \

$(LOCAL_PATH)/../libgcrypt/src/ \

$(LOCAL_PATH)/../libgpg-error/src/ \

$(LOCAL_PATH) 

LOCAL_CFLAGS += -DVERSION="\"$(VERSION)\""  -W -Wall -Wwrite-strings

# LOCAL_MODULE_TAGS:=debug

LOCAL_MODULE:=vpnc

LOCAL_STATIC_LIBRARIES:= \

libgcrypt \

libgpg-error

#LOCAL_SHARED_LIBRARIES := libc libcrypto libssl libdl

include $(BUILD_EXECUTABLE)

#

# End of Android.mk

#

[Jeffrey Walton]

On Sun, Sep 29, 2013 at 12:50 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> Hey, I'm trying to build my code (the VPNC code base) with the ndk-build
> command, but when I link libcrypto.so from the Android source, I get the
> below error.
>
> I'm using a mac running 10.8.5 (Mountain Lion), NDK r9 and I followed the
> all the instructions from the android source page to download and build it.

Well, I've never built my own libraries, so take it for what it's worth...

> /Users/me/android-platform/out/target/product/generic/system/lib//libcrypto.so:
> error: undefined reference to '__strlen_chk'

It looks like SYSROOT is not set. Since you built your own runtimes, I
would expect the Android build system cannot find your version of the
runtimes.

Jeff

[Lance Blais]

I assume that you mean SYSROOT is the root to the path of where I've built my android source?

If so, the Android.mk references the location of the built libraries along with which to link against, so I'm not sure I understand the issue.

[Jeffrey Walton]

On Mon, Sep 30, 2013 at 1:57 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> I assume that you mean SYSROOT is the root to the path of where I've built
> my android source?

My, bad, no.

SYSROOT as in the --sysroot option, which provides a convenient way to
pass the location of headers and libraries for the particular
platform. For example, here's what one looks like using Android's
stock runtime:

$ export ANDROID_SYSROOT=/opt/android-ndk-r8e/platforms/android-14/arch-arm

$ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT" \
-I/usr/local/ssl/android-14/include fips_hmac.c \
-o fips_hmac.exe /usr/local/ssl/android-14/lib/libcrypto.so

The command above will find all the headers correctly and link to the
correct runtimes because of --sysroot="$ANDROID_SYSROOT".

I don't know the equivalent when using Android's build system since I
usually build from the command line. When I botch it from the command
line, I get the a similar collection of compile/link of errors you
described.

Jeff

[Lance Blais]

Alright, so can you advise what I need to modify to maybe further debug this?

I don't really understand what is wrong. It seemed like my build of the source code didn't quite work, but I didn't get any errors.

[Jeffrey Walton]

On Mon, Sep 30, 2013 at 2:46 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> Alright, so can you advise what I need to modify to maybe further debug
> this?

Sorry, I cannot. I don't build custom runtimes, I don't use Android's
build system, and I rarely use Eclipse.

> I don't really understand what is wrong. It seemed like my build of the
> source code didn't quite work, but I didn't get any errors.

Take a look at the directory layout of, for example,
$ANDROID_NDK_ROOT/platforms/android-14/arch-arm.

Does you custom runtime follow the layout? If so, I would expect you
can pass SYSROOT somewhere and things would just work.

Related: for a discussion of ANDROID_NDK_ROOT and ANDROID_SDK_ROOT,
see https://groups.google.com/forum/#!msg/android-ndk/qZjhOaynHXc/2ux2ZZdxy2MJ.

Jeff

[David Turner]

In general, you cannot use the libraries from a platform build with the NDK.

In this specific case, the version of libcrypto.so you're trying to link to contains references to C library symbols (e.g. __sprintf_chk) that are not available to ndk-build (or more precisely, the version of libc.so provided by the NDK, and used at link time).

You need to rebuild libcrypto with the NDK itself, or a NDK-compatible standalone toolchain, to get a NDK-compatible compatible binary.

- David

PS: For the record, these symbols are provided to "fortify" the binaries, and were introduced in 4.2 iirc. Lookup FORTIFY_SOURCE for more details.

--

[Lance Blais]

So you're saying I need to add libcrypto to my source and build it just like I'm building everything else?

Thanks for the information about FORTIFY_SOURCE. In my findings (before I posted here) I saw reference to such a thing but did not quite understand it!

[David Turner]

On Tue, Oct 1, 2013 at 2:09 PM, Lance Blais <lance...@codeartifacts.com> wrote:

So you're saying I need to add libcrypto to my source and build it just like I'm building everything else?

Yes, either that or find a different prebuilt of the library that was built with a NDK-compatible toolchain.

Also, don't simply call it 'libcrypto.so'  because this will conflict with the system library with the same name preloaded in all Android application processes. Either link it statically (recommended), or give it a different name (e.g. libcrypto_myproject.so).

[Lance Blais]

If I build using the older NDK versions and source (which has worked), will that affect which Android OS versions my app runs on?

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 8:09 AM, Lance Blais
<lance...@codeartifacts.com> wrote:
> So you're saying I need to add libcrypto to my source and build it just like
> I'm building everything else?
>
> Thanks for the information about FORTIFY_SOURCE. In my findings (before I
> posted here) I saw reference to such a thing but did not quite understand
> it!

Fortify sources is a good measure to help with overflows. The way it
works: if a compiler can deduce destination buffer sizes at compile
time, then a "safer" variant of questionable functions is used. For
example, strcpy (which only takes a destination pointer) would be
replaced with strlcpy (BSDs) or strcpy_s (Microsoft). strlcpy/strcpy_s
takes a destination pointer and destination size. The compiler
effectively generates a call to abort() on overflow.

Ulrich Drepper been a real problem here for folks using Linux and
libc. He called the safer functions "horribly inefficient BSD crap"
[0] and led the resistance against the implementation. Even though the
safer functions were standardized via ISO/IEC TR24731-1, the standard
runtime still does not have them.

There's other measures you can use to help with the security side of
things (in addition to FORTIFY_SOURCES). If interested, see
https://www.owasp.org/index.php/C-Based_Toolchain_Hardening.

Jeff

[0] PATCH: safe string copy and concatenation [sic],
http://www.sourceware.org/ml/libc-alpha/2000-08/msg00053.html

[Rahul Bhattacharya]

You can use the following command

 arm-none-linux-gnueabi-readelf -a <dynamic_lib> to retrieve all the symbols defined for any *.so file

Similarly, execute this on all the available libs to see if you can get symbols resolved. Then you have to modify your Android.mk file accordingly to resolve the symbols

find . -name lib*.so  | xargs arm-none-linux-gnueabi-readelf -a | grep __strncpy_chk2

[Lance Blais]

Rahul, I do not have that tool.

Lances-MacBook-Pro:~ lanceblais$ find . -name *readelf*

./android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-readelf

./android-ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-readelf

./android-ndk/toolchains/mipsel-linux-android-4.6/prebuilt/darwin-x86_64/bin/mipsel-linux-android-readelf

./android-ndk/toolchains/mipsel-linux-android-4.8/prebuilt/darwin-x86_64/bin/mipsel-linux-android-readelf

./android-ndk/toolchains/x86-4.6/prebuilt/darwin-x86_64/bin/i686-linux-android-readelf

./android-ndk/toolchains/x86-4.8/prebuilt/darwin-x86_64/bin/i686-linux-android-readelf

Are any of these capable of doing the same?

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 12:58 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> Rahul, I do not have that tool.
>
> Lances-MacBook-Pro:~ lanceblais$ find . -name *readelf*
> ./android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-readelf
> ./android-ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-readelf
> ./android-ndk/toolchains/mipsel-linux-android-4.6/prebuilt/darwin-x86_64/bin/mipsel-linux-android-readelf
> ./android-ndk/toolchains/mipsel-linux-android-4.8/prebuilt/darwin-x86_64/bin/mipsel-linux-android-readelf
> ./android-ndk/toolchains/x86-4.6/prebuilt/darwin-x86_64/bin/i686-linux-android-readelf
> ./android-ndk/toolchains/x86-4.8/prebuilt/darwin-x86_64/bin/i686-linux-android-readelf
>
> Are any of these capable of doing the same?

In general, you should use the NDK tools, and not the generic Linux
armeabi stuff.

So yes, they are capable and preferred.

Jeff

[Rahul Bhattacharya]

From your logs used, Use the arm-linux-androideabi-readelf lying in your

/Users/me/android-ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/

[Lance Blais]

Rahul, I'm not sure I understand.

I ran that command in the location where my compiled android source places all the .so files.

As expected, libcrypto.so uses __strncpy_chk2 (similarly, a few other .so files use __strncpy_chk2).

The output for libc.so, libc_malloc_debug_leak.so and libc_malloc_debug_qemu.so are different than libcrypto.so

What am I looking for exactly? I'm not getting anywhere. I couldn't even build openssl as a standalone without running into problems.

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 1:23 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> ...I couldn't even build openssl as a standalone
> without running into problems.
This should not happen when using the NDK's prebuilt toolchain (is
that what you meant when you used 'stand alone'?). There's definitely
a problem with the build process and procedures.

I know the following works when building OpenSSL with the Android NDK
prebuilt toolchains:
http://wiki.openssl.org/index.php/FIPS_Library_and_Android. I've been
through the procedure many times.

Jeff

[Lance Blais]

So, basically:

I'm getting those errors relating to undefined references to __strlen_chk, __strrchr_chk, __sprintf_chk, __strncpy_chk2 and __strcat_chk

I'm told that I can't link against the android sources and hence linking against the libcrypto.so and libssl.so in the source won't work.

One recommendation was to build libcrypto.so and libssl.so myself and link against that instead. Jeff, is this something you can help me with?

[Lance Blais]

I tried this: http://wiki.openssl.org/index.php/FIPS_Library_and_Android

I get all the way to the http://wiki.openssl.org/index.php/FIPS_Library_and_Android#Build_the_FIPS_Capable_Library_2

When I run `make all`, it fails:

[ -z "libcrypto" ] || arm-linux-androideabi-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -march=armv7-a -mandroid -I/Users/lanceblais/android-ndk/platforms/android-14/arch-arm/usr/include -B/Users/lanceblais/android-ndk/platforms/android-14/arch-arm/usr/lib -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/android-14//include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -Iinclude \

-DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso  \

/usr/local/ssl/android-14/lib/fips_premain.c /usr/local/ssl/android-14/lib/fipscanister.o \

libcrypto.a -ldl

ar: fipscanister.o: not found in archive

This is frustrating... 

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 1:41 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> So, basically:
>
> I'm getting those errors relating to undefined references to __strlen_chk,
> __strrchr_chk, __sprintf_chk, __strncpy_chk2 and __strcat_chk
> I'm told that I can't link against the android sources and hence linking
> against the libcrypto.so and libssl.so in the source won't work.
>
> One recommendation was to build libcrypto.so and libssl.so myself and link
> against that instead. Jeff, is this something you can help me with?

Yes, but you probably don't need my help.

Follow the instructions at
http://wiki.openssl.org/index.php/FIPS_Library_and_Android. Omit the
sections "Set the Incore Utility Path" and "Build the FIPS Object
Module". You don't need them because they are FIPS related.

Follow the instructions before the skipped sections, and follow the
instructions after the skipped sections. When you encounter "Build the
FIPS Capable Library", configure without 'fips' since you omitted it.
For example:

$ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine \
--openssldir=/usr/local/ssl/android-14/

I added the section under "Executive Summary" so I could simply
copy/paste instructions. If all goes well, that's all you will need to
do. If you encounter errors, then read the detailed expalinations
after "Executive Summary".

I've used that setenv-android.sh script [from the OpenSSL wiki page]
on a number of open source projects, including Botan, Cryptlib,
Crypto++, OpenSSL, libevent, libcurl, etc (Tim Hudson, Steve Marquess
and I wrote it). The setenv-android.sh is where the magic lies.
Everything else is 'just build procedures'.

You also have a number of GitHub projects that offer OpenSSL for
Android using their modified build system:
https://www.google.com/#q=android+openssl+github. That might suite
your taste too. But I would encourage you to learn how to set the
environment with setenv-android.sh and use the NDK tools so you can
compile anything you want, including OpenSSL.

[Jeffrey Walton]

> /usr/local/ssl/android-14/lib/fips_premain.c
> /usr/local/ssl/android-14/lib/fipscanister.o \
> libcrypto.a -ldl
> ar: fipscanister.o: not found in archive

What was your configure?

I don't believe you're building for FIPS. So omit the 'fips' in the
config under "Build the FIPS Capable Library":

./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine \
--openssldir=/usr/local/ssl/android-14/

Here's the recipe you want to following. Its adapted from the
Executive Summary, and omits the FIPS stuff:

# Start fresh
$ rm -rf openssl-1.0.1e/
$ chmod a+x setenv-android.sh

# From the 'root' directory
$ . ./setenv-android.sh
$ tar xzf openssl-1.0.1e.tar.gz
$ cd openssl-1.0.1e/

$ perl -pi -e 's/install: all install_docs install_sw/install:
install_docs install_sw/g' Makefile.org

$ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine \

--openssldir=/usr/local/ssl/$ANDROID_API

$ make depend
$ make all
$ sudo -E make install CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib

Its that easy one the environment is set using setenv-android.sh. Be
sure to include the leading ".' (dot) when setting the environment.

Once install runs, the Android related OpenSSL is located at, for
example, /usr/local/ssl/android-14/.

Don't worry about the FPS stuff. It just complicates things.

Jeff


On Tue, Oct 1, 2013 at 2:35 PM, Lance Blais

[Lance Blais]

Hey Jeff,

It built when I followed the instructions to ignore the FIPS stuff.

Now, when I link my app to the new openssl location (/usr/local/ssl/android-14) it can't find openssl/x509.h which I'm assuming is an issue finding the include/openssl directory.

Just need to fix this in my Android.mk file

[Lance Blais]

Ok, I'm out of ideas.

I get undefined references to all sorts of things now:
sk_free
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
OPENSSL_add_all_algorithms_noconf
ERR_load_crypto_strings

And a bunch more. Is this still a linking issue, or .. ?

On Tue, Oct 1, 2013 at 3:15 PM, Lance Blais

--
Lance Blais
Software Developer - Security, Web & Mobile
http://blog.codeartifacts.com

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 3:19 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> Ok, I'm out of ideas.
>
> I get undefined references to all sorts of things now:
> sk_free
> OpenSSL_add_all_ciphers
> OpenSSL_add_all_digests
> OPENSSL_add_all_algorithms_noconf
> ERR_load_crypto_strings
>
> And a bunch more. Is this still a linking issue, or .. ?

Yes, its a linking issue. What libraries are you linking?

Here's from my Macbook (but using the library built for Mac OS X).
Android will be similar, just use the Android NDK tools

$ pwd
/usr/local/ssl
$ nm macosx-x64/lib/libcrypto.a | grep -i OpenSSL_add_all_ciphers 2>/dev/null
...
U _OpenSSL_add_all_ciphers
0000000000000000 T _OpenSSL_add_all_ciphers

The "T" is the one you want - it the text section, which means its defined.

*If* you are linking aginst the shared object, the add the "-D" switch to 'nm'.

So, are you linking against libcrypto.a or libcrypto.so? If so, is it on path?

Finally, order matters when linking libraries because ld is a single
pass linker. So be sure the library is listed in the "right" place in
the list of libraries.

[Jeffrey Walton]

On Tue, Oct 1, 2013 at 3:15 PM, Lance Blais
<lance...@codeartifacts.com> wrote:
> Hey Jeff,
>
> It built when I followed the instructions to ignore the FIPS stuff.

Cool. You can use that setenv-android.sh script just about everywhere.
Some projects are picky, so you will need to make them "cross compile"
aware (for example, Crypto++:
http://www.cryptopp.com/wiki/Android_%28Command_Line%29).

Jeff

[Vanya Yani]

error: undefined reference to '__strchr_chk'

I've got this fixed by downloading a recent NDK (android-ndk-r9b)

[FedeX Tsapanas]

I have the same problem only when trying cross-compile statically linked openssl on x86. On arm all is nice.

I use
APP_PLATFORM := android-9
APP_ABI := armeabi x86
NDK_TOOLCHAIN_VERSION := 4.8
in my project