You are not logged in.
- Topics: Active | Unanswered
#1 2015-10-03 05:31:08
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Note: I have not compiled software very much; I have installed numerous packages through the AUR, and have done a few make/make installs.
I have Arch running on an ALIX 3d2 computer board from PC Engines. This board is based on a 500MHz AMD Geode x86 processor, and includes an AES128 hardware accelerator & random number generator. Arch sucessfully recognizes the AES unit, and auto loads the "geode_aes" and "geode_rng" kernel modules. However, I have read that for OpenSSL to be able to use it, OpenSSL must be compiled with the "DHAVE_CRYPTODEV" and "DUSE_CRYPTODEV_DIGESTS" compile flags. It appears from running "openssl version -a", that the official Arch package's OpenSSL is not compiled with these options.
Is there any way to use the existing Arch OpenSSL package & possibly re-compile it with these options, or am I better off just downloading the sources from the OpenSSL website & compiling manually?
Offline
#2 2015-10-03 05:40:44
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Offline
#3 2015-10-03 05:41:15
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Excellent, thank you.
Offline
#4 2015-10-03 07:11:55
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Alright, so I have run "abs" and created the ABS root, then ran "abs core/openssl", then copied the contents of "/var/abs/core/openssl/" to my home directory. I have edited the PKGBUILD so that the ./Configure line is as follows:
./Configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib ${optflags} \
"${openssltarget}" \
"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"However, the "makepkg -s" is failing with the following:
eng_cryptodev.c:56:31: fatal error: crypto/cryptodev.h: No such file or directory
compilation terminated.
Makefile:77: recipe for target 'depend' failed
make[2]: *** [depend] Error 1
make[2]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/crypto/engine'
Makefile:133: recipe for target 'depend' failed
make[1]: *** [depend] Error 1
make[1]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/crypto'
Makefile:470: recipe for target 'depend' failed
make: *** [depend] Error 1
==> ERROR: A failure occurred in build().
Aborting...Any ideas?
Offline
#5 2015-10-03 10:38:59
- IMBJR
- Member
- From: INDCMPLX
- Registered: 2014-03-16
- Posts: 88
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
train_wreck wrote:
However, the "makepkg -s" is failing with the following:
eng_cryptodev.c:56:31: fatal error: crypto/cryptodev.h: No such file or directory compilation terminated. Makefile:77: recipe for target 'depend' failed make[2]: *** [depend] Error 1 make[2]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/crypto/engine' Makefile:133: recipe for target 'depend' failed make[1]: *** [depend] Error 1 make[1]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/crypto' Makefile:470: recipe for target 'depend' failed make: *** [depend] Error 1 ==> ERROR: A failure occurred in build(). Aborting...Any ideas?
I get the same results, unfortunately it may be an issue with OpenSSL:
http://stackoverflow.com/questions/2120 … tion-error
When I follow that advice, the build works, but of course the very featrue you want is no longer compiled in.
Offline
#6 2015-10-03 14:12:54
- byte
- Member
- From: Düsseldorf (DE)
- Registered: 2006-05-01
- Posts: 2,046
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
1000
Offline
#7 2015-10-03 16:21:08
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
byte wrote:
OK, so i've downloaded cryptodev-linux version 1.7. According to the INSTALL file, all I need to do is run "make" then "make install". However, make is failing with the following:
make -C /lib/modules/4.2.2-1-ARCH/build SUBDIRS=`pwd` modules
make[1]: Entering directory '/usr/lib/modules/4.2.2-1-ARCH/build'
CC [M] /home/USER/cryptodev-linux-1.7/ioctl.o
/home/USER/cryptodev-linux-1.7/ioctl.c: In function âclonefdâ:
/home/USER/cryptodev-linux-1.7/ioctl.c:549:8: error: implicit declaration of function âget_unused_fdâ [-Werror=implicit-function-declaration]
ret = get_unused_fd();
^
cc1: some warnings being treated as errors
scripts/Makefile.build:258: recipe for target '/home/USER/cryptodev-linux-1.7/ioctl.o' failed
make[2]: *** [/home/USER/cryptodev-linux-1.7/ioctl.o] Error 1
Makefile:1386: recipe for target '_module_/home/USER/cryptodev-linux-1.7' failed
make[1]: *** [_module_/home/USER/cryptodev-linux-1.7] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.2.2-1-ARCH/build'
Makefile:25: recipe for target 'build' failed
make: *** [build] Error 2I'm not sure what "error: implicit declaration of function get_unused_fd" is, but from Googling that, it seems that it was removed in kernel 3.19......
Am i at a dead-end here? There is apparently an equivalent project called "OCF-linux"?
Offline
#8 2015-10-03 17:40:04
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Update, so the link provided did not contain the most recent version of cryptodev. I found a more recent patch on github which fixes the code for the 3.19 kernel, and I am now able to successfully compile. I have noticed that I am unable to load the module with "modprobe"; I must manually run "insmod /lib/modules/4.2.2-1-ARCH/extra/cryptodev.ko.gz".
I am now compiling OpenSSL via makepkg, and it has progressed past the point at which it failed earlier. We shall see....
Offline
#9 2015-10-03 18:24:48
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
So after a half-hour of compiling OpenSSL, the makepkg process failed 
convert the certificate request into a self signed certificate using 'x509'
3073238720:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
3073238720:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
3073238720:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_REQ
3073238720:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
error using 'x509' to self sign a certificate request
Makefile:281: recipe for target 'test_ss' failed
make[1]: *** [test_ss] Error 1
make[1]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/test'
Makefile:459: recipe for target 'tests' failed
make: *** [tests] Error 2
==> ERROR: A failure occurred in check().
Aborting...Offline
#10 2015-10-04 06:03:46
- train_wreck
- Member
- Registered: 2011-10-22
- Posts: 97
Re: Re-compiling OpenSSL with DHAVE_CRYPTODEV and DUSE_CRYPTODEV_DIGESTS
Here is more of the makepkg output before the error:
Generate and verify a certificate request
generating certificate request
rsa
There should be a 2 sequences of .'s and some +'s.
There should not be more that at most 80 per line
This could take some time.
Generating a 1024 bit RSA private key
.......++++++
..++++++
writing new private key to 'testkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Queensland]:
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) []:CryptSoft Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Eric Young
Email Address []:eay@mincom.oz.au
verify OK
testing req conversions
p -> d
p -> p
d -> d
p -> d
d -> p
p -> p
testing req conversions
p -> d
p -> p
d -> d
p -> d
d -> p
p -> p
testing pkcs7 conversions
p -> d
p -> p
d -> d
p -> d
d -> p
p -> p
testing pkcs7 conversions (2)
p -> d
p -> p
d -> d
p -> d
d -> p
p -> p
The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 10 at 1 depth lookup:certificate has expired
C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 10 at 1 depth lookup:certificate has expired
C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK
Generate a set of DH parameters
../util/shlib_wrap.sh ./dhtest
.++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
p =868BE174296359D7
g =5
pri 1=6135CFC885FFEE43
pub 1=3CCDE850C1C33BB0
pri 2=6E042536AF64F9EB
pub 2=43AF5C7982E08C25
key1 =23F108A378EA977A
key2 =23F108A378EA977A
RFC5114 parameter test 1 OK
RFC5114 parameter test 2 OK
RFC5114 parameter test 3 OK
Generate a set of DSA parameters
../util/shlib_wrap.sh ./dsatest
test generation of DSA parameters
.++++++++++++++++++++++++++++++++++++++++++++++++++*
...+........+..+...+............+.+..+..........................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++*
seed
D5014E4B 60EF2BA8 B6211B40 62BA3224 E0427DD3
counter=105 h=2
P:
00:8d:f2:a4:94:49:22:76:aa:3d:25:75:9b:b0:68:
69:cb:ea:c0:d8:3a:fb:8d:0c:f7:cb:b8:32:4f:0d:
78:82:e5:d0:76:2f:c5:b7:21:0e:af:c2:e9:ad:ac:
32:ab:7a:ac:49:69:3d:fb:f8:37:24:c2:ec:07:36:
ee:31:c8:02:91
Q:
00:c7:73:21:8c:73:7e:c8:ee:99:3b:4f:2d:ed:30:
f4:8e:da:ce:91:5f
G:
62:6d:02:78:39:ea:0a:13:41:31:63:a5:5b:4c:b5:
00:29:9d:55:22:95:6c:ef:cb:3b:ff:10:f3:99:ce:
2c:2e:71:cb:9d:e5:fa:24:ba:bf:58:e5:b7:95:21:
92:5c:9c:c4:2e:9f:6f:46:4b:08:8c:c5:72:af:53:
e6:d7:88:02
../util/shlib_wrap.sh ./dsatest -app2_1
test generation of DSA parameters
.++++++++++++++++++++++++++++++++++++++++++++++++++*
...+........+..+...+............+.+..+..........................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++*
seed
D5014E4B 60EF2BA8 B6211B40 62BA3224 E0427DD3
counter=105 h=2
P:
00:8d:f2:a4:94:49:22:76:aa:3d:25:75:9b:b0:68:
69:cb:ea:c0:d8:3a:fb:8d:0c:f7:cb:b8:32:4f:0d:
78:82:e5:d0:76:2f:c5:b7:21:0e:af:c2:e9:ad:ac:
32:ab:7a:ac:49:69:3d:fb:f8:37:24:c2:ec:07:36:
ee:31:c8:02:91
Q:
00:c7:73:21:8c:73:7e:c8:ee:99:3b:4f:2d:ed:30:
f4:8e:da:ce:91:5f
G:
62:6d:02:78:39:ea:0a:13:41:31:63:a5:5b:4c:b5:
00:29:9d:55:22:95:6c:ef:cb:3b:ff:10:f3:99:ce:
2c:2e:71:cb:9d:e5:fa:24:ba:bf:58:e5:b7:95:21:
92:5c:9c:c4:2e:9f:6f:46:4b:08:8c:c5:72:af:53:
e6:d7:88:02
Generate and certify a test certificate
make a certificate request using 'req'
rsa
Generating a 2048 bit RSA private key
......................+++
............+++
writing new private key to 'keyCA.ss'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
Organization Name (eg, company) []:Dodgy Brothers
Common Name (eg, YOUR name) []:Dodgy CA
convert the certificate request into a self signed certificate using 'x509'
3073066688:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
3073066688:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
3073066688:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_REQ
3073066688:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
error using 'x509' to self sign a certificate request
Makefile:281: recipe for target 'test_ss' failed
make[1]: *** [test_ss] Error 1
make[1]: Leaving directory '/home/USER/openssl/src/openssl-1.0.2d/test'
Makefile:459: recipe for target 'tests' failed
make: *** [tests] Error 2
==> ERROR: A failure occurred in check().
Aborting...And here is the PKGBUILD:
# $Id: PKGBUILD 241910 2015-07-09 14:57:09Z foutrelis $
# Maintainer: Pierre Schmitz <pierre@archlinux.de>
pkgname=openssl
_ver=1.0.2d
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
pkgrel=1
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
arch=('i686' 'x86_64')
url='https://www.openssl.org'
license=('custom:BSD')
depends=('zlib' 'perl')
optdepends=('ca-certificates')
options=('!makeflags')
backup=('etc/ssl/openssl.cnf')
source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"
"https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz.asc"
'no-rpath.patch'
'ca-dir.patch')
md5sums=('38dd619b2e77cbac69b99f52a053d25a'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')
prepare() {
cd $srcdir/$pkgname-$_ver
# remove rpath: http://bugs.archlinux.org/task/14367
patch -p0 -i $srcdir/no-rpath.patch
# set ca dir to /etc/ssl by default
patch -p0 -i $srcdir/ca-dir.patch
}
build() {
cd $srcdir/$pkgname-$_ver
if [ "${CARCH}" == 'x86_64' ]; then
openssltarget='linux-x86_64'
optflags='enable-ec_nistp_64_gcc_128'
elif [ "${CARCH}" == 'i686' ]; then
openssltarget='linux-elf'
optflags=''
fi
# mark stack as non-executable: http://bugs.archlinux.org/task/12434
./Configure -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib ${optflags} \
"${openssltarget}" \
"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"
make depend
make
}
check() {
cd $srcdir/$pkgname-$_ver
# the test fails due to missing write permissions in /etc/ssl
# revert this patch for make test
patch -p0 -R -i $srcdir/ca-dir.patch
make test
patch -p0 -i $srcdir/ca-dir.patch
}
package() {
cd $srcdir/$pkgname-$_ver
make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install
install -D -m644 LICENSE $pkgdir/usr/share/licenses/$pkgname/LICENSE
}
groups=('modified')Not really sure what else to post...
Offline