在 CentOS 6.4 上使用椭圆曲线重建 openssl
策略是:
1) Download the "official" CentOS source package (.src.rpm)
2) Modify the .spec file to enable elliptic curves. (change no-EC to enable-EC)
3) Rebuild the package using mock.
构建是在新的亚马逊云服务器上执行的,任何人都可以精确地复制下面执行的每个步骤。
# 1. Log into AWS (Amazon Web Services) and create a public key.
# 2. Download your public key and install into your local client e.g. putty or ssh.
# 3. Instantiate a CentOS 6.4 machine using AWS marketplace for machine images. (free)
# 4. Log into your new Centos 6.4 using ssh or putty, update and install a few packages:
更新新安装的Centos并安装开发工具
yum -y update # Update all packages on a new machine
yum -y groupinstall 'Development tools'
从 Fedora EPEL 存储库安装模拟,一个超级包构建器。 Mock 是 CentOS(和许多其他发行版)软件包构建者的秘密武器。
yum -y localinstall --nogpgcheck http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm # Install EPEL (EL6 extra packages) repository
yum -y install fedora-packager # Install mock from EPEL repository
将新用户“abcd”添加到组“mock”中。用户 abcd 将用于包重建。注意:当我们安装 fedora-packager 时,yum 自动创建了“mock”组。
userdel -rf abcd ; useradd -G mock abcd ; su abcd
获取最新的CentOS openssl源码包并用mock“解压”它
cd ~ ; curl -O http://vault.centos.org/6.4/os/Source/SPackages/openssl-1.0.0-27.el6.src.rpm
/usr/bin/mock --rebuild ~/openssl-1.0.0-27.el6.src.rpm
我们看到这样的输出行
# INFO: mock.py version 1.1.32 starting...
# Start: build setup for openssl-1.0.0-27.el6.src.rpm
# Start: rpmbuild -bb openssl-1.0.0-27.el6.src.rpm
# Start: Outputting list of installed packages
终于,过了很长一段时间,我们看到了
# INFO: Results and/or logs in: /var/lib/mock/epel-6-x86_64/result
将模拟构建结果移至安全位置
rm -rf /home/abcd/build ; mv /var/lib/mock/epel-6-x86_64/root/builddir/build/ /home/abcd ; # Move to a safe place
从 openssl.org 下载替换源文件 (.tar.gz) 和补丁文件
cd /home/abcd/build/SOURCES
curl -O http://www.openssl.org/source/openssl-1.0.0.tar.gz # Download corresponding source tarball from openssl
curl -o patch300.patch http://cvs.openssl.org/patchset?cn=19998 # Download this patch to fix a test error
将 openssl.spec 文件编辑为
# 1. Enable elliptic curves (enable-EC)
# 2. Disable the hobble-openssl script (which erases EC files)
# 3. Update the release mumber to .EC.1
# 4. Include the newly downloaded .tar.bz as source
# 5. Include the newly downloaded patch file
cd ../SPECS
sed -i -e "s/no-ec/enable-ec/; s/no-ecdh/enable-ecdh/; s/no-ecdsa/enable-ecdsa/" openssl.spec # Enable EC
sed -i -e "s/^Source1: hobble-openssl/#&/; s/^%.SOURCE1. /#&/" openssl.spec # Disable the "hobble" script
sed -i -e "s/^Release.*dist\}/&.EC.1/" openssl.spec # Also change release number by adding .EC.1
sed -i -e "s/-usa.tar.bz2/.tar.gz/" openssl.spec # Change the source tarball
sed -i -e "s/^Patch78.*/&\nPatch300: patch300.patch\n/" openssl.spec # Add the new patch
sed -i -e "s/^%patch78.*/&\n%patch300 -p1 \n/" openssl.spec # Add the new patch again
使用编辑后的(“enable-EC”)openssl.spec 创建一个新的源包
/usr/bin/mock --buildsrpm --spec ~/build/SPECS/openssl.spec --sources ~/build/SOURCES # Do a source rebuild
使用新的源码包新建openssl包
cp /var/lib/mock/epel-6-x86_64/root/builddir/build/SRPMS/openssl-1.0.0-27.el6.EC.1.src.rpm /home/abcd
cd ~ ; /usr/bin/mock --rebuild openssl-1.0.0-27.el6.EC.1.src.rpm
总结在这里 http://pastebin.centos.org/3070
谢谢八打灵再也在 Freenode 上寻求所有帮助。