目录
近日openssl爆出拒绝服务、证书绕过漏洞,CVE编号CVE-2021-3449、CVE-2021-3450。
解决方法:
CentOS7默认openssl版本1.0.2,不受影响。
CentOS8默认openssl版本1.1.1,受影响,需要到OpenSSL1.1.1k及以上版本。
记录centos8编译打包openssl-1.0.2u、openssl-1.1.1k的过程。
从官网https://www.openssl.org/source/old/1.0.2/下载openssl-1.0.2u.tar.gz,并做sha256校验。
cd rpmbuild/SOURCES/
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
sha256sum ./openssl-1.0.2u.tar.gz
ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16 ./openssl-1.0.2u.tar.gz
解压缩,把spec文件copy到SPEC目录下。
tar xvzf openssl-1.0.2u.tar.gz
cp openssl-1.0.2u/openssl.spec ../SPECS/openssl-1.0.2u.spec
编译打包openssl-1.0.2u并排错。报错Can't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5,解决方案是安装依赖perl-Perl4-CoreLibs.noarch
rpmbuild -ba openssl-1.0.2u.spec
Can't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at util/perlpath.pl line 7.
error: Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)
RPM build errors:
bogus date in %changelog: Sun Jun 6 2005 Richard Levitte <richard@levitte.org>
bogus date in %changelog: Tue Sep 10 1999 Damien Miller <damien@ibs.com.au>
Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)
yum install perl-Perl4-CoreLibs.noarch
编译打包openssl-1.0.2u成功。
rpmbuild -ba --clean openssl-1.0.2u.spec
……
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.0.2u-1.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-doc-1.0.2u-1.x86_64.rpm
从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz,并做sha256校验,再解压缩。
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
sha256sum ./openssl-1.1.1k.tar.gz
892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 ./openssl-1.1.1k.tar.gz
tar xvzf openssl-1.1.1k.tar.gz
编译安装
config生成Makefile
make编译,make test的结果一定要PASS
make install安装,或者其他选项只安装你需要的内容
如果在这些过程中提示有依赖项就安装,不OK就解决,再make clean后重新来过。
cd openssl-1.1.1k
./config
make
make test
make install
这样编译安装以后,openssl的版本升级到了1.1.1k,但是库文件仍使用原来1.1.1g版本的,不会影响使用。
openssl version
OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1g FIPS 21 Apr 2020)
这个包安装上以后,会导致严重的故障。
[root@test18 x86_64]# rpm --version
rpm: symbol lookup error: /lib64/librpmio.so.8: undefined symbol: EVP_md2, version OPENSSL_1_1_0
[root@test18 x86_64]# yum remove openssl
Traceback (most recent call last):
......
ImportError: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
......
[root@test18 ~]# ldd /lib64/librpmio.so.8 | grep crypto
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f299ed70000)
[root@test18 ~]# ldd /lib64/libk5crypto.so.3 | grep crypto
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fea0bf97000)
原因是这种方式会替换库文件,不能替换这个库文件详细的原因在这个地方有https://github.com/openssl/openssl/issues/11471,请自行查看。
[root@test18 ~]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Dec 18 06:45 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1g
[root@test18 ~]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
0000000000170530 T EVP_KDF_ctrl
0000000000170620 T EVP_KDF_ctrl_str
0000000000170370 T EVP_KDF_CTX_free
00000000001703b0 T EVP_KDF_CTX_new_id
00000000001706e0 T EVP_KDF_derive
00000000001704d0 T EVP_KDF_reset
00000000001706b0 T EVP_KDF_size
0000000000170500 T EVP_KDF_vctrl
[root@test18 x86_64]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Apr 5 12:58 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1k
[root@test18 x86_64]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
Nothing!!!
这里只是记录编译打包的过程,不推荐使用!
从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz,并做sha256校验。解压缩,发现这个版本没有现成的spec文件。经查证在http://rpmfind.net/可以找到openssl-1.1.1g-12.el8.src.rpm这个包,这个包里面有1.1.1g版本的spec文件,可以找来使用。
该rpm文件cpio提取归档文件不会生成目录,因此建立一个目录存放,再下载。
mkdir openssl-1.1.1g-src
cd openssl-1.1.1g-src/
wget http://vault.centos.org/8.3.2011/BaseOS/Source/SPackages/openssl-1.1.1g-12.el8_3.src.rpm
rpm2cpio openssl-1.1.1g-12.el8_3.src.rpm | cpio -duim
提取的文件很多,把其中的openssl.spec拷贝到rpmbuild/SPECS目录下,并编辑openssl-1.1.1k.spec,修改源代码文件、版本、删除不需要的内容,最终形成openssl-1.1.1k.spec文件,内容如下。
# For the curious:
# 0.9.5a soversion = 0
# 0.9.6 soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
# depends on build configuration options)
%define soversion 1.1
%define debug_package %{nil}
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1k
Release: 1%{?dist}
Epoch: 1
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Source0:openssl-%{version}.tar.gz
%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
# Needed obsoletes due to the base/lib subpackage split
Obsoletes: openssl < 1:1.0.1-0.3.beta3
Obsoletes: openssl-fips < 1:1.0.1e-28
Provides: openssl-fips = %{epoch}:%{version}-%{release}
%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.
%package devel
Summary: Files for development of applications which will use OpenSSL
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
Requires: pkgconfig
%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.
%package static
Summary: Libraries for static linking of applications which will use OpenSSL
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.
%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%prep
%setup -q -n %{name}-%{version}
%build
#./config \
# --prefix=/usr/bin \
# --openssldir=/etc/pki/tls \
# --libdir=/usr/lib64 \
#./config \
# --prefix=%{_bindir} \
# --openssldir=%{_sysconfdir}/pki/tls \
# --libdir=%{_prefix}/lib64 \
./config \
--prefix=%{_prefix} \
--openssldir=%{_sysconfdir}/pki/tls \
make all
# Clean up the .pc files
#for i in libcrypto.pc libssl.pc openssl.pc ; do
# sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
#done
%check
# Verify that what was compiled actually works.
make test
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=$RPM_BUILD_ROOT install
make DESTDIR=$RPM_BUILD_ROOT uninstall_html_docs
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
#mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
#install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
#install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
#install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
if [ -L ${manpage} ]; then
TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
ln -snf ${TARGET}ssl ${manpage}ssl
rm -f ${manpage}
else
mv ${manpage} ${manpage}ssl
fi
done
for conflict in passwd rand ; do
rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
manpage=man1/openssl-${conflict}.*
if [ -L ${manpage} ] ; then
ln -snf ssl${conflict}.1ssl ${manpage}
fi
done
popd
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif
%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%endif
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
%files
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc FAQ NEWS README README.FIPS
%{_bindir}/openssl
%{_mandir}/man1*/*
%{_mandir}/man5*/*
%{_mandir}/man7*/*
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget*
%files libs
%{!?_licensedir:%global license %%doc}
%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
%files devel
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/*.so
%{_mandir}/man3*/*
%{_libdir}/pkgconfig/*.pc
%files static
%{_libdir}/*.a
%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%changelog
然后rpmbuild -ba --clean openssl-1.1.1k.spec,得到openssl-1.1.1k的rpm包。
rpmbuild -ba --clean openssl-1.1.1k.spec
......
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.1.1k-1.el8.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-libs-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-static-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-perl-1.1.1k-1.el8.x86_64.rpm
......