[lulingar]

Hi guys,

I'm trying to build OpenSSL v1.0.2g from an AUR PKGFILE [1], on a armv7h platform. I'm doing specifically to enable openssl-cryptodev, as there does not seem an ALARM kernel package compiled specifically for my platform (Olimex A20 OlinuXino Lime2). The Cryptodev module has been, of course, successfully built and is loaded in the kernel.

While the build seems to complete successfully, the test suite fails as shown in [2]. Does anybody know what to make of it?


[1] The PKGFILE, original at https://aur.archlinux.org/packages/openssl-chacha20/
$this->bbcode_second_pass_code('', '
# $Id$
# Maintainer: Pierre Schmitz <pierre@archlinux.de>

_pkgname=openssl
pkgname=${_pkgname}-chacha20
_ver=1.0.2g
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
pkgrel=3
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security with Chacha20 cipher'
arch=('i686' 'x86_64' 'armv7h')
url='https://www.openssl.org'
license=('custom:BSD')
depends=('perl')
optdepends=('ca-certificates')
options=('!makeflags')
backup=('etc/ssl/openssl.cnf')
conflicts=('openssl')
provides=("openssl=${pkgver}")
source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz"
"https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz.asc"
'no-rpath.patch'
'ssl3-test-failure.patch'
'ca-dir.patch'
'openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch')
sha256sums=('b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33'
'SKIP'
'754d6107a306311e15a1db6a1cc031b81691c8b9865e8809ac60ca6f184c957c'
'c54ae87c602eaa1530a336ab7c6e22e12898e1941012349c153e52553df64a13'
'9e8126f3a748f4c1d6fe34d4436de72b16a40e97a6d18234d2e88caa179d50c4'
'09a2e88f95d8cd12bd9c23cd87554ab700fb1625a848c0502951849fb1d564fc')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')

prepare() {
cd $srcdir/$_pkgname-$_ver

# remove rpath: http://bugs.archlinux.org/task/14367
patch -p0 -i $srcdir/no-rpath.patch

# disable a test that fails when ssl3 is disabled
patch -p1 -i $srcdir/ssl3-test-failure.patch

# set ca dir to /etc/ssl by default
patch -p0 -i $srcdir/ca-dir.patch
}

build() {
cd $srcdir/$_pkgname-$_ver

if [ "${CARCH}" == 'x86_64' ]; then
openssltarget='linux-x86_64'
optflags='enable-ec_nistp_64_gcc_128'
elif [ "${CARCH}" == 'i686' ]; then
openssltarget='linux-elf'
optflags=''
elif [ "${CARCH}" == 'arm' -o "${CARCH}" == 'armv6h' -o "${CARCH}" == 'armv7h' ]; then
openssltarget='linux-armv4'
optflags=''
elif [ "${CARCH}" == 'aarch64' ]; then
openssltarget='linux-aarch64'
optflags=''
fi

# mark stack as non-executable: http://bugs.archlinux.org/task/12434
./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 shared threads zlib enable-md2 \
shared no-ssl3-method ${optflags} \
"${openssltarget}" \
"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"

make depend
make
}

check() {
cd $srcdir/$_pkgname-$_ver
# the test fails due to missing write permissions in /etc/ssl
# revert this patch for make test
patch -p0 -R -i $srcdir/ca-dir.patch
make test
patch -p0 -i $srcdir/ca-dir.patch
}

package() {
cd $srcdir/$_pkgname-$_ver
make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install
install -D -m644 LICENSE $pkgdir/usr/share/licenses/$_pkgname/LICENSE
}

')

[2] The test failure log
$this->bbcode_second_pass_code('', '
make a certificate request using 'req'
rsa
Generating a 2048 bit RSA private key
....................................................................................................................+++
......................................................+++
writing new private key to 'keyCA.ss'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
Organization Name (eg, company) []:Dodgy Brothers
Common Name (eg, YOUR name) []:Dodgy CA

convert the certificate request into a self signed certificate using 'x509'
3069843168:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
3069843168:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
3069843168:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
3069843168:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
error using 'x509' to self sign a certificate request
Makefile:286: recipe for target 'test_ss' failed
')

[moonman]

You can force install openssl-cryptodev from the repo with -dd. You can also create a cryptodev-dkms package which will provide cryptodev-friendly.

[lulingar]

I'm not sure what do you mean precisely by "will provide cryptodev-friendly". Regardless, I still have the issue with test stage failing.

[moonman]

There is now 'cryptodev-dkms' package in the repos.

Remove your manually build module, install the package with 'pacman -S cryptodev-dkms'

After that you will be able to install 'openssl-cryptodev' package.

No need to rebuild openssl for you.

EDIT: And to build openssl with cryptodev, it needs to be patched.
https://github.com/archlinuxarm/PKGBUIL ... v/PKGBUILD

[lulingar]

Excellent, thanks a lot moonman! I have been able to install openssl-cryptodev. I would have liked to understand what the issue was when building the OpenSSL source, but I guess I would need to parse the source tree. Now, initial benchmarking shows a modest improvement,

Thanks for your help.

[moonman]

The problem is that openssl developers don't have an upto date version of cryptodev engine, so it needs to be patched. Cryptodev developers have submitted patches upstream to openssl but these requests have been ignored by openssl team for some reason.