PLEASE HELP - How do I include OpenSSL in my code?

[cpptutor2000]

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

int main(){
unsigned char temp[4];

RAND_bytes(temp, 4);
return 0;
}

If I type: whereis openssl
I get: openssl: /usr/bin/openssl /usr/include/openssl
/usr/share/man/man1/openssl.1ssl.gz

I compile this as:
gcc -g -o test test.c -I/usr/include/openssl -L/usr/bin/openssl

I get a linker error message as :
/tmp/cc4tQEqd.o(.text+0x1af0): In function `main':
/home/ecelrc/students/abanerj/cpp/test.c:6: undefined reference to
`RAND_bytes'

Could someone please point out what I am doing wrong? Any help would be
greatly
appreciated.

 

[Richard Heathfield]

(e-mail address removed) said:

I get a linker error message as :
/tmp/cc4tQEqd.o(.text+0x1af0): In function `main':
/home/ecelrc/students/abanerj/cpp/test.c:6: undefined reference to
`RAND_bytes'

You forgot to add -lssl to the end of your gcc line.

Strictly speaking, third party libs are off-topic in clc - but hey, I won't
tell if you don't.

Next time, though, try a Linux group, just to play safe. Here, we get all
antsy if it ain't ANSI.

 

[Martin Ambuhl]

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

You're trying to get us into trouble, aren't you. Even if openssl were

 

[Ben C]

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

int main(){
unsigned char temp[4];

RAND_bytes(temp, 4);
return 0;
}

If I type: whereis openssl
I get: openssl: /usr/bin/openssl /usr/include/openssl
/usr/share/man/man1/openssl.1ssl.gz

I compile this as:
gcc -g -o test test.c -I/usr/include/openssl -L/usr/bin/openssl

I get a linker error message as :
/tmp/cc4tQEqd.o(.text+0x1af0): In function `main':
/home/ecelrc/students/abanerj/cpp/test.c:6: undefined reference to
`RAND_bytes'

Could someone please point out what I am doing wrong? Any help would be
greatly
appreciated.

You need -l.

-L tells gcc where to look for libraries, -l tells it what libraries to
look in for symbols.

-lxxx means "look for a library called libxxx.a in the usual places".
You add places to "the usual places", if necessary, with -L.

The library you want is libssl.a and is quite likely in /usr/lib, where
gcc looks anyway, so -lssl with no -L option will probably do the trick:

$ gcc -g -o test test.c -I/usr/include/openssl -lssl

or also add -L/usr/lib/openssl (or something, depending on where
libssl.a is on your system) if you need it.

(gnu.gcc.help is the right NG for this by the way).

 

[Andrew Poelstra]

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

You're trying to get us into trouble, aren't you. Even if openssl were

[snipped]

It wouldn't scare me off, but seeing people posting solid walls of text
in all caps would.

My poor eyes...

Also, if you understood basic import/export cryptography laws, those
warnings would be warnings and you'd know how to avoid legal issues.
For example, there are no laws barring export between the US and
Canada that I know of, but to transfer cryposystems overseas you must
not use an electronic form.

 

[Martin Ambuhl]

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

You're trying to get us into trouble, aren't you. Even if openssl were

[snipped]

It wouldn't scare me off, but seeing people posting solid walls of text
in all caps would.

On the other hand, changing the text from the openssl website to cater to

My poor eyes...

would be dishonest. It is not the posting that is all caps, but the
quoted text.

Also, if you understood basic import/export cryptography laws, those
warnings would be warnings and you'd know how to avoid legal issues.

If you sufficiently understand these laws well enough to be sure of
avoiding problems (and the courts do not agree on what that
interpretation should be), then you should be getting the big bucks as a
corporate lawyer insted of programming.

For example, there are no laws barring export between the US and
Canada that I know of, but to transfer cryposystems overseas you must
not use an electronic form.

Now you expect us to treat messages posted as somehow limited to the US
and Canada, and further to rely on your imperfect knowledge ("that I
know of"). Ephraim, you are a cake not turned.

 

[Richard Heathfield]

Andrew Poelstra said:

Also, if you understood basic import/export cryptography laws, those
warnings would be warnings and you'd know how to avoid legal issues.
For example, there are no laws barring export between the US and
Canada that I know of, but to transfer cryposystems overseas you must
not use an electronic form.

I've got news for you, folks - we already have strong crypto outside the
USA. We've had unbreakable crypto (albeit impractical for many purposes)
for almost a century, and almost-unbreakable public/private key for - well,
for just a few years longer than you.

And in any case, inventing a reasonably secure cryptosystem is, frankly,
trivial. The tricky bit is not the "technology" if that's the word, but the
usage - a great many ciphers are cracked not because they are inherently
weak but because they are misused.

The genie has been out of the bottle for a very long time.

 

[Walter Roberson]

Also, if you understood basic import/export cryptography laws, those
warnings would be warnings and you'd know how to avoid legal issues.
For example, there are no laws barring export between the US and
Canada that I know of, but to transfer cryposystems overseas you must
not use an electronic form.

There *are* laws controlling the export of cryptography from the US to
Canada. Those laws happen to say something on the order of, "providing
these conditions are met, no export permit is required" to export to
Canada, and that "providing these conditions are met, there is an
automatic export permit" to a small number of other countries. The
catch is in the "these conditions are met" portion.

For example, if a citizen of one of the six or so designated "hostile
countries" manages to legally reach the USA, then that citizen may
freely use strong cryptography *within the USA*, and that foreign
citizen may buy books, attend lectures, enter a cryptography PhD
program and so on -- as long as that foreign citizen does not -export-
the cryptographic programs.

I, a Canadian citizen, can buy and utilize US-originated strong
encryption programs within Canada (or to the USA or the other select
countries). However, the way the US export laws are written, if the
strong encryption program had been exported from the USA, then I [in
Canada] could not permit that same foreign citizen from using my copy
of the program, not even just to communicate within Canada between they
and I.


Now, it happens that some of our employees are from one of those
designated countries; and I am not permitted to discriminate against
any employee based upon country of origin, so my choice was effectively
to either be careful only to use cryptography that did not originate in
the USA, or else to not make cryptographic services routinely available
to any of our employees.

I did raise this point with our corporate security people at one point;
they believed that there was an exemption covering the situation, but
they did not have any justification available for such an exemption; I
gather that they casually asked someone who works for A Four Letter
Acronym {Three Letter Acronyms are for the USA ;-) } and were casually
told it wasn't a problem. (I preferred a stronger reassurance...)

 

[Andrew Poelstra]

(e-mail address removed) wrote:

Could some C guru please help me? I have a simple piece of code as:

#include <stdio.h>
#include <stdlib.h>
#include <openssl/rand.h>

You're trying to get us into trouble, aren't you. Even if openssl were
on topic here, or if your implementation-specific question were on
topic, the language from the openssl site would scre me off:

[snipped]

It wouldn't scare me off, but seeing people posting solid walls of text
in all caps would.

On the other hand, changing the text from the openssl website to cater to

He needed neither to change the text or to quote it at all.

would be dishonest. It is not the posting that is all caps, but the
quoted text.

I know; but on the site I can set stylesheets so that the colors aren't
so painful (slrn put the post in red on black).

If you sufficiently understand these laws well enough to be sure of
avoiding problems (and the courts do not agree on what that
interpretation should be), then you should be getting the big bucks as a
corporate lawyer insted of programming.

See below.

Now you expect us to treat messages posted as somehow limited to the US
and Canada, and further to rely on your imperfect knowledge ("that I
know of"). Ephraim, you are a cake not turned.

"For example" does not mean "As applies to everyone here". US/Canada is
the border that concerns me personally the most, but I'm in no way
speaking for everyone.

 

[Andrew Poelstra]

Andrew Poelstra said:



I've got news for you, folks - we already have strong crypto outside the
USA. We've had unbreakable crypto (albeit impractical for many purposes)
for almost a century, and almost-unbreakable public/private key for - well,
for just a few years longer than you.

Yes, I'm well aware of that.

And in any case, inventing a reasonably secure cryptosystem is, frankly,
trivial. The tricky bit is not the "technology" if that's the word, but the
usage - a great many ciphers are cracked not because they are inherently
weak but because they are misused.

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem". I prefer to say
simply that only cryptographers can make decent ciphers. It saves me
from every having to debug a homebrew one.

 

[Richard Heathfield]

Andrew Poelstra said:

And in any case, inventing a reasonably secure cryptosystem is, frankly,
trivial. The tricky bit is not the "technology" if that's the word, but
the usage - a great many ciphers are cracked not because they are
inherently weak but because they are misused.

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem".

And so it is, provided nobody actually tries to crack it (which, again, is
true of most cryptosystems!).

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

 

[Clever Monkey]

You're trying to get us into trouble, aren't you. Even if openssl were

Why is this scary? It's just a typical "you cannot sue us" extension of
the BSD license. In reality there are only a few countries where this
would be a problem. A hint is that OpenSSL development having to do
with encryption is not done in those countries (and therefore, not
subject to export law). They ship from those countries "because they
can" (quote from the OpenSSL website).

Even in the US, as long as you do not export the software you write
based on strong crypto like OpenSSL you should be fine. It is not
illegal to code (yet). Most export laws are triggered once you try to
sell or provide software based on such tech to another country or agent
of another country.

However, the laws regarding such material are byzantine and subject to
broad interpretation. This warning is a just a YMMV.

 

[Martin Ambuhl]

Why is this scary? It's just a typical "you cannot sue us" extension of How about this:
the BSD license.

The BSD license is irrelevant. We have a government in the US that is
technically challenged (so they don't understand the pointlessness of
these attempts to control information about cryptology) and with a will
to arrest on the slightest provocation.

In reality there are only a few countries where this
would be a problem.

"A few countries" are a serious problem with an uncontrolled medium like
a newsgroup.

Even in the US, as long as you do not export the software you write
based on strong crypto like OpenSSL you should be fine. It is not
illegal to code (yet).

Please don't offer legal advice unless you are willing to be sued should
it go wrong. The original poster asked for technical suggestions. Are
you willing to bet your freedom and property that the government will
not come after people who answer him? Are you willing to bet your
freedom and property that this newsgroup does not reach those "few
countries" in which this could be a problem.

 

[Malcolm]

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem".

And so it is, provided nobody actually tries to crack it (which, again, is
true of most cryptosystems!).

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up
with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

But if you are scanning every email sent in the country, for the string "Mr
Vladimir orders three quarts of cheese", then those ten minutes are
prohibitive.

 

[Andrew Poelstra]

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem".

And so it is, provided nobody actually tries to crack it (which, again, is
true of most cryptosystems!).

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up
with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

But if you are scanning every email sent in the country, for the string "Mr
Vladimir orders three quarts of cheese", then those ten minutes are
prohibitive.

Don't cut attribution lines; it took me five minutes to figure out that I
had made the post Richard replied to.

Once you crack a message, you can figure out the algorithm, and from there it
no longer takes 10 minutes per message.

 

[Richard Heathfield]

Malcolm said:

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem".

And so it is, provided nobody actually tries to crack it (which, again,
is true of most cryptosystems!).

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up
with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

But if you are scanning every email sent in the country, for the string
"Mr Vladimir orders three quarts of cheese", then those ten minutes are
prohibitive.

Yes, but this was (almost) twenty years ago, by hand. With a computer, it
would have taken approximately three xesoseconds[1] to crack the code -
which, despite all its superficial complexity, was a mono.

Two common mistakes made by bozocryptographers are:

(1) they think that, to get the plaintext, the cryppies are required to
reverse-engineer the actual (secret) cryptosystem devised by the
cryptographer;
(2) they don't realise that two (or even a great many more than two)
substitution schemes are basically the same as one substitution scheme and
can be solved as if they were one.

Well, it was almost twenty years ago, so I think I've known enough Andrews
that I can call the guy Andrew (his real name) without fear of embarrassing
him. What Andrew had done was to set up a monoalphabetic substitution
cipher (A = R, B = K, C = Z, whatever). He had then replaced each letter by
an entire word beginning with that letter. He then replaced the word by a
picture representing the word. And he then replaced the picture by a
four-digit number. He thought there was no way I'd be able to even guess
that pictures were involved (which was true!), and that therefore I would
be unable to decipher the message (which was not!).



[1] abbrev for "oneofthosenewfangledprefixesoseconds"

 

[Jordan Abel]

True; of course, most people who hear that believe that ciphertext =
plaintext ^ 5 is a "reasonably secure cryptosystem".

And so it is, provided nobody actually tries to crack it (which, again, is
true of most cryptosystems!).

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up
with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

But if you are scanning every email sent in the country, for the string "Mr
Vladimir orders three quarts of cheese", then those ten minutes are
prohibitive.

Don't cut attribution lines; it took me five minutes to figure out that I
had made the post Richard replied to.

Once you crack a message, you can figure out the algorithm, and from there it
no longer takes 10 minutes per message.

Assuming the secret is also the same for all the other messages - an
algorithm on its own buys you very little.

 

[Old Wolf]

When people do try to roll their own, it is sometimes embarrassing to see
just how quickly they can be broken. A guy I used to work with came up with
what he thought was an uncrackably complex scheme. He had spent several
days designing it. He gave me no algorithm, just some ciphertext, and it
took me about ten minutes. <sigh>

But you are a genius. See:
http://groups.google.com/group/comp.lang.c/msg/e105e5d339edec01