More M2Crypto build problems

[John Nagle]

Trying to build M2Crypto on a dedicated server running Red Hat Fedora Core 6.
I'm trying to do this right, without manual patching.

The error message I'm getting during build is:

python setup.py build
....
swig -python -I/usr/include -o SWIG/_m2crypto_wrap.c SWIG/_m2crypto.i
/usr/include/openssl/opensslconf.h:27: Error: CPP #error ""This openssl-devel
package does not work your architecture?"". Use the -cpperraswarn option to
continue swig processing.
error: command 'swig' failed with exit status 1

We went through this before, but last time, the versions of OpenSSL and
of SWIG on the system were old, and I was running on a shared server
and couldn't update it. Eventually, M2Crypto was hammered
into working, but it was ugly. It was necessary to patch "setup.py" as
follows:

107,108d106
< target_cpu_str = '-D__i386__' # PATCH - assume Intel target. OpenSSL build
needs this.
<

> 116c114

< swig_opts = [swig_opts_str,target_cpu_str]
---

> swig_opts = [swig_opts_str]

The problem is that the include file in OpenSSL assumes that some
system ID, like __i386__, is defined, which GCC does, but SWIG
does not. It might be considered a bug in SWIG.

This time, everything on the dedicated server has been updated with Yum,
so it ought to just work.

Yum says:

>
> Installed Packages
> openssl.i686 0.9.8a-5.4 installed
> openssl-devel.i386 0.9.8a-5.4 installed
> python.i386 2.4.3-9.FC5 installed
> swig.i386 1.3.31-0.fc5 installed
> Available Packages
> openssl.i386 0.9.8a-5.4 updates

All of those are later than the ones required for M2Crypto, so the system
should be current.

>

But it doesn't.

Also reported as a SWIG bug, as #1676049.

John Nagle

 

[John Nagle]

Still more M2Crypto build problems:

In M2Crypto's file "SWIG/_ec.i", there's this:

#if OPENSSL_VERSION_NUMBER < 0x0090800fL || defined(OPENSSL_NO_EC)
#undef OPENSSL_NO_EC
%constant OPENSSL_NO_EC = 1;
#else
%constant OPENSSL_NO_EC = 0;

%{
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/ecdsa.h>
#include <openssl/ecdh.h>
%}

There's the assumption here that versions of OpenSSL greater than 0.9.08???
contain elliptical curve cryptography support. There's
also the assumption that "ecdsa.h" is present; it is included
unconditionally, and definitions from it are used later.

Unfortunately, the ones that ship with Fedora Core 5 and 6 do not have it:

http://threebit.net/mail-archive/fedora-list/msg14507.html

Updating with "yum" doesn't help. Apparently there are patent problems
with the algorithm, and Red Hat pulled that code. See

http://en.wikipedia.org/wiki/ECC_patents

I'm trying to get M2Crypto to build without elliptical cryptography, but
it's not working

John Nagle

"Python. Embrace the pain".

 

[John Nagle]

Now I understand what's wrong. It's an incompatibility between
SWIG, OpenSSL, and M2Crypto.

OpenSSL was built with OPENSSL_NO_EC defined. That's actually
defined via "opensslconf.h", which includes, based on whether
__i386__ is defined, the file "opensslconf-i386.h". OpenSSL
didn't always work that way; the per-platform include file
thing is new.

M2Crypto uses SWIG. (Usually a mistake, but..) SWIG takes
in various definition files, and generates about 24,000 lines of
C code. (This is just glue code; it's not really doing much.)
One of the the definition files is "_ec.i", which has:

%include <openssl/opensslconf.h>
#if OPENSSL_VERSION_NUMBER < 0x0090800fL || defined(OPENSSL_NO_EC)
#undef OPENSSL_NO_EC
%constant OPENSSL_NO_EC = 1;
#else
%constant OPENSSL_NO_EC = 0;

%{
#include <openssl/bn.h>
.... stuff to handle elliptical curve encryption

This looks reasonable. The "%include" brings in the file for
SWIG processing. But, under SWIG's rules, that does NOT bring
in files included from within the file being included.
(Otherwise, SWIG would generate Python interfaces for everything
in them.)

So "OPENSSL_NO_EC" is undefined, which results in compiling the
code for "EC", the elliptical curve stuff removed from Fedora
5 and 6 for patent reasons.

A workaround is to put:

#define OPENSSL_NO_EC

at the beginning of "_ec.i". This turns off elliptical curve
crypto support. M2Crypto will then build.

There's probably a correct way to do this, and get SWIG to properly
obtain the value from the OpenSSL include file, but I don't know
SWIG well enough to do it.

John Nagle