OpenSSL+GOST Russian cipher algorithm

Support for security such as Firewalls and securing linux
arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/08 11:37:01

Hi everyone! Sorry for my English. I am trying to configure OpenSSL with use gost algorithm from OpenSSL-1.0 (http://mirror.yandex.ru/centos/6/updates/SRPMS/openssl-1.0.0-4.el6_0.1.src.rpm). But I can not understand where this is set in .spec-file.


When I build a rpm-package from source (http://www.openssl.org/source/openssl-1.0.0d.tar.gz), a .spec file made ​​changes to the "%ifarch i386 i486 i586 i686
./Configure %{CONFIG_FLAGS} linux-elf shared zlib enable-rfc3779" then "rpmbuild ba --target=i686 openssl.spec", received packet is trying to install "rpm -Uvh openssl-1.0.0d.i686.rpm", but the system gives an error.

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/10 09:52:39

Hi everyone! Part of the problem is solved. When assembling a package error:

gcc -I.. -I../.. -I../asn1 -I../evp -I../../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -march=i686 -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o p_lib.o p_lib.c
p_lib.c:318: error: expected declaration specifiers or '...' before 'EC_KEY'
p_lib.c: In function 'EVP_PKEY_set1_EC_KEY':
p_lib.c:320: warning: implicit declaration of function 'EVP_PKEY_assign_EC_KEY'
p_lib.c:320: error: 'key' undeclared (first use in this function)
p_lib.c:320: error: (Each undeclared identifier is reported only once
p_lib.c:320: error: for each function it appears in.)
p_lib.c:322: warning: implicit declaration of function 'EC_KEY_up_ref'
p_lib.c: At top level:
p_lib.c:326: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token
make[2]: *** [p_lib.o] Error 1
make[2]: Leaving directory `/root/rpmbuild/BUILD/openssl-1.0.0/crypto/evp'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/root/rpmbuild/BUILD/openssl-1.0.0/crypto'
make: *** [build_crypto] Error 1
ошибка: Неверный код возврата из /var/tmp/rpm-tmp.m2f97n (%build

How to solve the problem?

My spec file:

[code]
# For the curious:
# 0.9.5a soversion = 0
# 0.9.6 soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
%define soversion 10


# Number of threads to spawn when testing some threading fixes.
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}

# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x sparcv9 sparc64 x86_64

Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
Release: 4%{?dist}.2
Source: openssl-%{version}-usa.tar.bz2
Source2: Makefile.certificate
Source6: make-dummy-cert
Source8: openssl-thread-test.c
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
# Build changes
Patch0: openssl-1.0.0-beta4-redhat.patch
Patch1: openssl-1.0.0-beta3-defaults.patch
Patch3: openssl-1.0.0-beta3-soversion.patch
Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
# Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch
Patch24: openssl-1.0.0-beta4-binutils.patch
Patch25: openssl-1.0.0-gost-cfb.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-1.0.0-beta5-cipher-change.patch
Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
Patch51: openssl-1.0.0-version.patch
Patch60: openssl-1.0.0-nofips.patch

License: OpenSSL
Group: System Environment/Libraries
URL: http://www.openssl.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
BuildRequires: /usr/bin/rename
Requires: mktemp, ca-certificates >= 2008-5

%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

%package devel
Summary: Files for development of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}, krb5-devel, zlib-devel
Requires: pkgconfig

%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.

%package static
Summary: Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel = %{version}-%{release}

%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.

%package perl
Summary: Perl scripts provided with OpenSSL
Group: Applications/Internet
Requires: perl
Requires: %{name} = %{version}-%{release}

%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%prep
%setup -q -n %{name}-%{version}

%patch0 -p1 -b .redhat
%patch1 -p1 -b .defaults
%patch3 -p1 -b .soversion
%patch4 -p1 -b .enginesdir
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost

%patch23 -p1 -b .default-paths
%patch24 -p1 -b .binutils
%patch25 -p1 -b .gost-cfb

%patch32 -p1 -b .ia64
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
%patch38 -p1 -b .cipher-change
%patch39 -p1 -b .ipv6-apps
%patch45 -p1 -b .env-nozlib
%patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version
%patch60 -p1 -b .nofips

# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`

# Generate a table with the compile settings for my perusal.
touch Makefile
make TABLE PERL=%{__perl}

%build
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_arch}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
sslflags="no-asm 386"
fi
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux-generic64 -DB_ENDIAN"
%endif
%ifarch %{arm} sh3 sh4
sslarch=linux-generic32
%endif
# ia64, x86_64, ppc, ppc64 are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 no-idea no-mdc2 \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch}

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
make all

# Generate hashes for the included certs.
make rehash


%check
# Verify that what was compiled actually works.

# We must revert patch33 before tests otherwise they will fail
patch -p1 -R < %{PATCH33}

LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
make -C test apps tests
PATH=/usr/kerberos/bin:$PATH
export PATH
%{__cc} -o openssl-thread-test \
`krb5-config --cflags` \
-I./include \
$RPM_OPT_FLAGS \
%{SOURCE8} \
-L. \
-lssl -lcrypto \
`krb5-config --libs` \
-lpthread -lz -ldl
#./openssl-thread-test --threads %{thread_test_threads}

# Add generation of HMAC checksum of the final stripped library

%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
make INSTALL_PREFIX=$RPM_BUILD_ROOT install
make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
# OpenSSL install doesn't use correct _libdir on 64 bit archs
if [ -d $RPM_BUILD_ROOT/%{_libdir}/engines ]; then
mkdir $RPM_BUILD_ROOT/%{_libdir}/openssl || true
mv $RPM_BUILD_ROOT/%{_libdir}/engines $RPM_BUILD_ROOT/%{_libdir}/openssl/engines
fi
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}

done

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert

# Make sure we actually include the headers we built against.
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then
install -m644 include/openssl/`basename ${header}` ${header}
fi
done

# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
for manpage in man*/* ; do
if [ -L ${manpage} ]; then
TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
ln -snf ${TARGET}ssl ${manpage}ssl
rm -f ${manpage}
else
mv ${manpage} ${manpage}ssl
fi
done
for conflict in passwd rand ; do
rename ${conflict} ssl${conflict} man*/${conflict}*
done
popd

# Pick a CA script.
pushd $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc
mv CA.sh CA
popd

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private

# Ensure the openssl.cnf timestamp is identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf

# Fix libdir.
pushd $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
for i in *.pc ; do
sed 's,^libdir=${exec_prefix}/lib,libdir=${exec_prefix}/%{_lib},g' \
$i >$i.tmp && \
cat $i.tmp >$i && \
rm -f $i.tmp
done
popd

# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif

%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%endif

# Remove unused files from upstream fips support
rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
rm -rf $RPM_BUILD_ROOT/%{_libdir}/fips_premain.*
rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*

%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root)
%doc FAQ LICENSE CHANGES NEWS INSTALL README
%doc doc/c-indentation.el doc/openssl.txt
%doc doc/openssl_button.html doc/openssl_button.gif
%doc doc/ssleay.txt
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
%{_sysconfdir}/pki/tls/certs/Makefile
%dir %{_sysconfdir}/pki/tls/misc
%{_sysconfdir}/pki/tls/misc/CA
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%{_sysconfdir}/pki/tls/misc/c_*
%{_sysconfdir}/pki/tls/private

%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf

%attr(0755,root,root) %{_bindir}/openssl
%attr(0755,root,root) %{_libdir}/*.so.%{version}
%attr(0755,root,root) %{_libdir}/*.so.%{soversion}
%attr(0755,root,root) %{_libdir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
%attr(0644,root,root) %{_mandir}/man5*/*
%attr(0644,root,root) %{_mandir}/man7*/*

%files devel
%defattr(-,root,root)
%{_prefix}/include/openssl
%attr(0755,root,root) %{_libdir}/*.so
%attr(0644,root,root) %{_mandir}/man3*/*
%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc

%files static
%defattr(-,root,root)
%attr(0644,root,root) %{_libdir}/*.a

%files perl
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/c_rehash
%attr(0644,root,root) %{_mandir}/man1*/*.pl*
%{_sysconfdir}/pki/tls/misc/*.pl
%{_sysconfdir}/pki/tls/misc/tsget

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%changelog
* Tue Dec 7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-4.2
- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864 (#649304)
[/code]
[quote]
arbyz wrote:
Hi everyone! Sorry for my English. I am trying to configure OpenSSL with use gost algorithm from OpenSSL-1.0 (http://mirror.yandex.ru/centos/6/updates/SRPMS/openssl-1.0.0-4.el6_0.1.src.rpm). But I can not understand where this is set in .spec-file.


When I build a rpm-package from source (http://www.openssl.org/source/openssl-1.0.0d.tar.gz), a .spec file made ​​changes to the "%ifarch i386 i486 i586 i686
./Configure %{CONFIG_FLAGS} linux-elf shared zlib enable-rfc3779" then "rpmbuild ba --target=i686 openssl.spec", received packet is trying to install "rpm -Uvh openssl-1.0.0d.i686.rpm", but the system gives an error.[/quote]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

OpenSSL+GOST Russian cipher algorithm

Post by pschaff » 2011/08/10 20:49:32

It is very difficult to guess what is happening from the information provided.

First, if you are going to rebuild a SRPM starting with the latest (currently openssl-1.0.0-4.el6_0.2.src.rpm for CentOS-6, openssl-1.0.0-10.el6_1.4.src.rpm for upstream) would be advisable.

Second, showing the differences (from [b]diff[/b]) between your spec file and the original would be more useful than the whole thing.

Third, you are apparently attempting to apply a patch "Patch25: openssl-1.0.0-gost-cfb.patch". Where did you get that and what are the contents?

Fourth, never build as root. See [url=http://wiki.centos.org/HowTos/RebuildSRPM]How to Rebuild a Source RPM[/url].

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/11 08:38:12

Thank you for your reply. Let's start(use openssl-1.0.0-4.el6_0.2.src.rpm):
[code]
1) diff openssl.spec.my openssl.spec.original

14d13
<
25a25,26
> # We remove certain patented algorithms from the openssl source tarball
> # with the hobble-openssl script which is included below.
26a28
> Source1: hobble-openssl
31a34
> Source11: README.FIPS
41,42c44,45
< Patch24: openssl-1.0.0-beta4-binutils.patch
< Patch25: openssl-1.0.0-gost-cfb.patch
---
> Patch24: openssl-0.9.8j-bad-mime.patch
> Patch25: openssl-1.0.0a-manfix.patch
49a53,56
> Patch40: openssl-1.0.0-fips.patch
> Patch41: openssl-1.0.0-beta3-fipscheck.patch
> Patch43: openssl-1.0.0-beta3-fipsmode.patch
> Patch44: openssl-1.0.0-beta3-fipsrng.patch
52d58
< Patch48: openssl-0.9.8j-bad-mime.patch
56c62,70
< Patch60: openssl-1.0.0-nofips.patch
---
> Patch52: openssl-1.0.0-beta4-aesni.patch
> Patch53: openssl-1.0.0-name-hash.patch
> # Backported fixes including security fixes
> Patch60: openssl-1.0.0-dtls1-backports.patch
> Patch61: openssl-1.0.0-init-sha256.patch
> Patch62: openssl-1.0.0-cve-2010-0742.patch
> Patch63: openssl-1.0.0-cve-2010-1633.patch
> Patch64: openssl-1.0.0-cve-2010-3864.patch
> Patch65: openssl-1.0.0-cve-2010-4180.patch
107a122
> %{SOURCE1} > /dev/null
116,119c131,132
< #удалить если не пойдет
< %patch48 -p1 -b .bad-mime
< %patch24 -p1 -b .binutils
< %patch25 -p1 -b .gost-cfb
---
> %patch24 -p1 -b .bad-mime
> %patch25 -p1 -b .manfix
126a140,143
> %patch40 -p1 -b .fips
> %patch41 -p1 -b .fipscheck
> %patch43 -p1 -b .fipsmode
> %patch44 -p1 -b .fipsrng
129d145
< #%patch48 -p1 -b .bad-mime
133c149,157
< %patch60 -p1 -b .nofips
---
> %patch52 -p1 -b .aesni
> %patch53 -p1 -b .name-hash
>
> %patch60 -p1 -b .dtls1
> %patch61 -p1 -b .sha256
> %patch62 -p1 -b .originfo
> %patch63 -p1 -b .recover
> %patch64 -p1 -b .extrace
> %patch65 -p1 -b .disable-nsbug
142c166
< %build
---
> %build
167c191
< sslarch="linux-generic64 -DB_ENDIAN"
---
> sslarch="linux-s390x"
179c203
< enable-cms enable-md2 no-idea no-mdc2 \
---
> enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
181c205
< --with-krb5-dir=/usr shared ${sslarch}
---
> --with-krb5-dir=/usr shared ${sslarch} fips
191a216,217
> # Overwrite FIPS README
> cp -f %{SOURCE11} .
202,204c228
< PATH=/usr/kerberos/bin:$PATH
< export PATH
< %{__cc} -o openssl-thread-test \
---
> %{__cc} -o openssl-thread-test \
213c237
< #./openssl-thread-test --threads %{thread_test_threads}
---
> ./openssl-thread-test --threads %{thread_test_threads}
215a240,248
> %define __spec_install_post \
> %{?__debug_package:%{__debug_install_post}} \
> %{__arch_install_post} \
> %{__os_install_post} \
> crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
> ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
> crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
> ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
> %{nil}
223,227c256
< # OpenSSL install doesn't use correct _libdir on 64 bit archs
< if [ -d $RPM_BUILD_ROOT/%{_libdir}/engines ]; then
< mkdir $RPM_BUILD_ROOT/%{_libdir}/openssl || true
< mv $RPM_BUILD_ROOT/%{_libdir}/engines $RPM_BUILD_ROOT/%{_libdir}/openssl/engines
< fi
---
> mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
230d258
< mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
274a303,305
> mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
> mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
> mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
327a359
> %doc README.FIPS
335a368,370
> %dir %{_sysconfdir}/pki/CA/certs
> %dir %{_sysconfdir}/pki/CA/crl
> %dir %{_sysconfdir}/pki/CA/newcerts
343a379,380
> %attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
> %attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac



2)cat openssl-1.0.0-gost-cfb.patch
--- openssl-1.0.0/engines/ccgost/gost_crypt.c.orig 2010-04-16 17:26:29.000000000 +0400
+++ openssl-1.0.0/engines/ccgost/gost_crypt.c 2010-04-16 17:26:56.000000000 +0400
@@ -299,7 +299,7 @@
if (i<inl)
{
gost_crypt_mesh(ctx->cipher_data,ctx->iv,ctx->buf);
- if (!ctx->encrypt) memcpy(ctx->buf+8,in_ptr,j);
+ if (!ctx->encrypt) memcpy(ctx->buf+8,in_ptr,inl-i);
for (j=0;i<inl;j++,i++)
{
out_ptr[j]=ctx->buf[j]^in_ptr[j];[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]

3) When configuring from the user, the error remains.[quote]
pschaff wrote:
It is very difficult to guess what is happening from the information provided.

First, if you are going to rebuild a SRPM starting with the latest (currently openssl-1.0.0-4.el6_0.2.src.rpm for CentOS-6, openssl-1.0.0-10.el6_1.4.src.rpm for upstream) would be advisable.

Second, showing the differences (from [b]diff[/b]) between your spec file and the original would be more useful than the whole thing.

Third, you are apparently attempting to apply a patch "Patch25: openssl-1.0.0-gost-cfb.patch". Where did you get that and what are the contents?

Fourth, never build as root. See [url=http://wiki.centos.org/HowTos/RebuildSRPM]How to Rebuild a Source RPM[/url].[/quote]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: OpenSSL+GOST Russian cipher algorithm

Post by pschaff » 2011/08/11 11:22:00

[quote]
arbyz wrote:
Thank you for your reply. Let's start(use openssl-1.0.0-4.el6_0.2.src.rpm):

1) diff openssl.spec.my openssl.spec.original[/quote]

That appears to be the diff from the spec from openssl-1.0.0-4.el6_0.2.src.rpm, rather than the one you started with, so the differences are quite confusing. I would suggest incrementally applying minimal changes to the latest spec and trying to rebuild at each step, as required to get where you need to be.

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/11 11:38:31

Well, I'll try.

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/11 13:54:49

So, started from scratch(use only openssl-1.0.0-4.el6_0.2.src.rpm).

1) remove from the .spec file

# Patch40: openssl-1.0.0-fips.patch
# Patch41: openssl-1.0.0-beta3-fipscheck.patch
# Patch43: openssl-1.0.0-beta3-fipsmode.patch
# Patch44: openssl-1.0.0-beta3-fipsrng.patch

#% patch40-p1-b. fips
#% patch41-p1-b. fipscheck
#% patch43-p1-b. fipsmode
#% patch44-p1-b. fipsrng

In the block configuration delete FIPS

remove more
# rm-rf $ RPM_BUILD_ROOT /% {_bindir} / openssl_fips_fingerprint
# rm-rf $ RPM_BUILD_ROOT /% {_libdir} / fips_premain .*
# rm-rf $ RPM_BUILD_ROOT /% {_libdir} / fipscanister .*

And in the end remove
#% attr (0644, root, root)% {_libdir} /. libcrypto.so .*. hmac
#% attr (0644, root, root)% {_libdir} /. libssl.so .*. hmac


rpmbuid-ba - target = i686 openssl.spets

Configuration and assembly take place without errors.

Apply patches openssl-1.0.0-nofips.patch - configuration and assembly take place without errors.



Further, to enable support for GOST-algorithm to include rc5, ec, ecdh, ecdsa

The block configuration add enable-rc5, enable-ec, enable-ecdh, enable-ecdsa.

rpmbuild -ba --target=i686 openssl.spec


Compiling a package fails:

gcc -I.. -I../.. -I../asn1 -I../evp -I../../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -march=i686 -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o p_lib.o p_lib.c
p_lib.c:318: error: expected declaration specifiers or '...' before 'EC_KEY'
p_lib.c: In function 'EVP_PKEY_set1_EC_KEY':
p_lib.c:320: warning: implicit declaration of function 'EVP_PKEY_assign_EC_KEY'
p_lib.c:320: error: 'key' undeclared (first use in this function)
p_lib.c:320: error: (Each undeclared identifier is reported only once
p_lib.c:320: error: for each function it appears in.)
p_lib.c:322: warning: implicit declaration of function 'EC_KEY_up_ref'
p_lib.c: At top level:
p_lib.c:326: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token
make[2]: *** [p_lib.o] Error 1
make[2]: Leaving directory `/home/paul/rpmbuild/BUILD/openssl-1.0.0/crypto/evp'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/home/paul/rpmbuild/BUILD/openssl-1.0.0/crypto'
make: *** [build_crypto] Error 1
ошибка: Неверный код возврата из /var/tmp/rpm-tmp.Nec8Ko (%build)

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/11 14:00:23

[code]
[paul@centos SOURCES]$ cat openssl-1.0.0-nofips.patch
--- openssl-1.0.0/crypto/cryptlib.c.orig 2010-04-16 16:11:03.000000000 +0400
+++ openssl-1.0.0/crypto/cryptlib.c 2010-04-16 16:14:38.000000000 +0400
@@ -881,5 +881,22 @@
_exit(3);
#endif
}
+#ifndef OPENSSL_FIPS
+int FIPS_mode(void) {
+ return 0;
+}

+int FIPS_mode_set(int mode) {
+ return 0;
+}
+
+int FIPSCHECK_verify(char *filename, char*symbol) {
+ return 0;
+}
+
+int FIPS_selftest_failed(void) {
+ return 1;
+}
+
+#endif
void *OPENSSL_stderr(void) { return stderr; }[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: OpenSSL+GOST Russian cipher algorithm

Post by pschaff » 2011/08/11 18:36:18

It appears we are not privy to all the information. Is it necessary to remove all the FIPS stuff and apply the nofips.patch before applying gost-cfb.patch ?

arbyz
Posts: 7
Joined: 2011/08/08 11:12:36

Re: OpenSSL+GOST Russian cipher algorithm

Post by arbyz » 2011/08/11 18:47:25

Yes, you need to completely remove support for FIPS. And configured openssl with support for algorithms ec, ecdh,ecdsa. Patch gost-cfb.patch can be no deal. This is a bug fix. The GOST algorithm is automatically enabled when you configure openssl with support for algorithms ec, ecdh,ecdsa.

Post Reply

Return to “CentOS 6 - Security Support”