undefined symbol: CRYPTO_chacha_20 when built with boringssl

Tue Jun 25 15:20:28 UTC 2024

On Tue, Jun 25, 2024 at 10:57 AM Dave Kennard <showerheadsuk at hotmail.com> wrote:
>
> Thanks very much for the help. I tried adding "-R/opt/boringssl/lib" in ld options, so it looked like: --with-ld-opt='-Wl,-R,/opt/GeoIP/lib -R/opt/boringssl/lib -L/opt/GeoIP/lib -L/opt/boringssl/lib' But this gave the same result, probably the above is wrong because I don't really know what I am doing with linker options.
>
> You are correct though, I tried replacing the system libcrypto.so and libssl.so with links to the boringssl ones and that got rid of the issue. So it is just not looking for them in the correct place.
>
> I will have to read up on linker options then hopefully I can get it working properly.
>
> Thanks for pointing me in the right direction.
>
> On Mon, Jun 24, 2024 at 08:06:23AM +0100, Dave Kennard wrote:
>
> This is probably me doing something stupid, but I can't get nginx to run
> when built to use boringssl. When trying to run it (nginx -t) I get the
> error: undefined symbol: CRYPTO_chacha_20
>
> I think it's just that it isn't loading the boringssl shared libs.
>
> Nginx is configured as follows:
>
> ./configure --prefix=/opt/nginx-1.27.1 \
> ??? --with-pcre={{ tarballs_path }}/pcre2-{{ pcre_version }} \
> ??? --with-pcre-jit \
> ??? --without-http_autoindex_module \
> ??? --without-http_empty_gif_module \
> ??? --without-http_ssi_module \
> ??? --with-http_ssl_module \
> ??? --with-http_v2_module \
> ??? --with-http_v3_module \
> ??? --with-ipv6 \
> ??? --with-http_gzip_static_module \
> ??? --with-http_realip_module \
> ??? --add-module=../ngx_http_geoip2_module \
> ??? --with-http_perl_module --with-perl_modules_path=perl/lib \
> ??? --with-cc-opt='-I/opt/GeoIP/include -I/opt/boringssl/include' \
> ??? --with-ld-opt='-Wl,-R,/opt/GeoIP/lib -L/opt/GeoIP/lib
> -L/opt/boringssl/lib'
>
> And boringssl:
>
> cmake -B build -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1
> -DCMAKE_INSTALL_PREFIX=/opt/boringssl-{{ ansible_date_time.date }}
>
> (/opt/boringssl is symlinked to /opt/boringssl-{{ ansible_date_time.date }})
>
> Can anyone suggest what the problem might be?
>
> Options you use suggest that you are building with shared BorinSSL
> library installed in a non-default location.  The error you are
> seeing is likely a result of loading OpenSSL library from the
> default library path instead.
>
> Using "-R/opt/boringssl/lib" in ld options might be the way to go,
> similarly to how you already do with the GeoIP library.

Because this happens at runtime (and not compile time, and not link time):

> When trying to run it (nginx -t) I get the
> error: undefined symbol: CRYPTO_chacha_20

It appears you have a runtime path problem. /opt/boringssl/lib is not on-path.

Try this:

    LD_LIBRARY_PATH="/opt/boringssl/lib:${LD_LIBRARY_PATH}" nginx -t

If that fixes the issue, then add the following to your linker options
to permanently solve the issue:

    -Wl,-R/opt/boringssl/lib -Wl,--enable-new-dtags

The "-Wl" tells the compiler driver to pass the option to the linker.
You can omit the "-Wl" if you are directly invoking the `ld` linker.
You need "-Wl` if you are driving link through `gcc` (or other
compiler driver).

You should also add "-Wl,--enable-new-dtags" to the linker options to
enable RUNPATHs rather than RPATHs. RUNPATHs allow runtime overrides.

Jeff