Ubuntu 20.04上编译OpenSSL的编译选项设置

由于实验需要,我想简单看看怎么在编译OpenSSL的时候设置编译选项,之前都是用的默认选项,例如这里:怎样在BinaryNinja中查看Vulnerable的function(以HeartBleed CVE-2014-0160为例)_蛐蛐蛐的博客-CSDN博客

首先下载一个对应版本,例如我在这里:/source/old/3.0/index.html下载了openssl-3.0.0.tar.gz。解压之后进入文件夹。搜了一圈发现,虽然介绍的博客很多,但是基本上大家都没有详细介绍编译选项,例如这里的介绍:linux编译openss,Linux下OpenSSL静态库编译及使用_币圈E神的博客-CSDN博客

大部分文章都只是介绍了默认的编译选项和过程。例如:linux平台下openssl编译_slacking off的博客-CSDN博客_linux openssl 编译

然而简单看了一下,发现OpenSSL官网也介绍得不是很详细,只有这里的介绍:Compilation and Installation - OpenSSLWiki

其官网上的doc栏目,全是一些FAQ的东西,我也是醉了:/docs/index.html 脑子为啥都这么不清楚?试想有一个新的用户,如果想看你官网的话,不是应该最想了解各种安装和编译选项么?程序员们脑子都是浆糊吗?

又搜了搜,发现这里有一些说明:OpenSSL Configure选项说明_昆仑道长的博客-CSDN博客

另外就是上面那个wiki页面也有一些说明:

OpenSSL Library Options
Option Description
--prefix=XXX See PREFIX and OPENSSLDIR in the next section (below).
--openssldir=XXX See PREFIX and OPENSSLDIR in the next section (below).
-d Debug build of the library. Optimizations are disabled (no -O3 or similar) and libefence is used (apt-get install electric-fence or yum install electric-fence). TODO: Any other features?
shared Build a shared object in addition to the static archive. You probably need a RPATH when enabling shared to ensure openssl uses the correct libssl and libcrypto after installation.
enable-ec_nistp_64_gcc_128 Use on little endian platforms when GCC supports __uint128_t. ECDH is about 2 to 4 times faster. Not enabled by default because Configure can't determine it. Enable it if your compiler defines __SIZEOF_INT128__, the CPU is little endian and it tolerates unaligned data access.
enable-capieng Enables the Microsoft CAPI engine on Windows platforms. Used to access the Windows Certificate Store. Also see Using Windows certificate store through OpenSSL on the OpenSSL developer list.
no-ssl2 Disables SSLv2. OPENSSL_NO_SSL2 will be defined in the OpenSSL headers.
no-ssl3 Disables SSLv3. OPENSSL_NO_SSL3 will be defined in the OpenSSL headers.
no-comp Disables compression independent of zlib. OPENSSL_NO_COMP will be defined in the OpenSSL headers.
no-idea Disables IDEA algorithm. Unlike RC5 and MDC2, IDEA is enabled by default
no-asm Disables assembly language routines (and uses C routines)
no-dtls Disables DTLS in OpenSSL 1.1.0 and above
no-dtls1 Disables DTLS in OpenSSL 1.0.2 and below
no-shared Disables shared objects (only a static library is created)
no-hw Disables hardware support (useful on mobile devices)
no-engine Disables hardware support (useful on mobile devices)
no-threads Disables threading support.
no-dso Disables the OpenSSL DSO API (the library offers a shared object abstraction layer). If you disable DSO, then you must disable Engines also
no-err Removes all error function names and error reason text to reduce footprint
no-npn/no-nextprotoneg Disables Next Protocol Negotiation (NPN). Use no-nextprotoneg for 1.1.0 and above; and no-npn otherwise
no-psk Disables Preshared Key (PSK). PSK provides mutual authentication independent of trusted authorities, but it's rarely offered or used
no-srp Disables Secure Remote Password (SRP). SRP provides mutual authentication independent of trusted authorities, but it's rarely offered or used
no-ec2m Used when configuring FIPS Capable Library with a FIPS Object Module that only includes prime curves. That is, use this switch if you use openssl-fips-ecp-2.0.5.
no-weak-ssl-ciphers Disables RC4. Available in OpenSSL 1.1.0 and above.
-DXXX Defines XXX. For example, -DOPENSSL_NO_HEARTBEATS.
-DPEDANTIC Defines PEDANTIC. The library will avoid some undefined behavior, like casting an unaligned byte array to a different pointer type. This define should be used if building OpenSSL with undefined behavior sanitizer (-fsanitize=undefined).
-DOPENSSL_USE_IPV6=0 Disables IPv6. Useful if OpenSSL encounters incorrect or inconsistent platform headers and mistakenly enables IPv6. Must be passed to Configure manually.
-DNO_FORK Defines NO_FORK. Disables calls to fork. Useful for operating systems like AppleTVOS, WatchOS, AppleTVSimulator and WatchSimulator.
-Lsomething, -lsomething, -Ksomething, -Wl,something Linker options, will become part of LDFLAGS.
-anythingelse, +anythingelse Compiler options, will become part of CFLAGS.

具体来讲,我们在终端里运行:

./Configure –help

可以看到有下列提示:

Configuring OpenSSL version 3.0.0 for target –help
Using os-specific seed configuration
Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]

需要说明的是,上面那个–help并不是我们通常意义下的连字符:-help,这一点也是够奇葩的。哪怕你输入./Configure --help也不行。

看看上面这些提示,算是大概了解了编译选项,但还是有些不了解的,例如-f是什么意思,上面的表里也没写啊。但已经比大部分博客讲得清楚了,例如我注意到很多朋友是这样总结的:

执行Configure是常见参数选项如下:

安装参数:

--openssldir=OPENSSLDIR

安装目录,默认是 /usr/local/ssl 。

--prefix=PREFIX

设置 lib include bin 目录的前缀,默认为 OPENSSLDIR 目录。

--install_prefix=DESTDIR

设置安装时以此目录作为"根"目录,通常用于打包,默认为空。

zlib
zlib-dynamic
no-zlib

使用静态的zlib压缩库、使用动态的zlib压缩库、不使用zlib压缩功能。

threads
no-threads

是否编译支持多线程的库。默认支持。

shared
no-shared

是否生成动态连接库。

asm
no-asm

是否在编译过程中使用汇编代码加快编译过程。

enable-sse2
no-sse2

启用/禁用SSE2指令集加速。如果你的CPU支持SSE2指令集,就可以打开,否则就要关闭。

gmp
no-gmp

启用/禁用GMP库

rfc3779
no-rfc3779

启用/禁用实现X509v3证书的IP地址扩展

krb5
no-krb5

启用/禁用 Kerberos 5 支持

ssl
no-ssl
ssl2
ssl3
no-ssl2
no-ssl3
tls
no-tls

启用/禁用 SSL(包含了SSL2/SSL3) TLS 协议支持。

dso
no-dso

启用/禁用调用其它动态链接库的功能。[提示]no-dso仅在no-shared的前提下可用。

禁用选项

no-md2,no-md4,no-mdc2,no-ripemd

摘要算法

no-des,no-rc2,no-rc4,no-rc5,no-idea,no-bf,no-cast,no-camellia

对称加密算法

no-ec,no-dsa,no-ecdsa,no-dh,no-ecdh

不对称加密算法

no-comp

数据压缩算法

no-store

对象存储功能

最后,如果我们想用O0编译,来做一些简单的实验,可以参考上面的网页,用下面这个命令行选项:

./config no-asm -g3 -O0 -fno-omit-frame-pointer -fno-inline-functions

然后再运行make(我做实验的时候并不需要install):

make

总体上来说,已经比很多朋友总结得详细了,但我还是有些东西没搞清楚。例如,我看到有些数据集会给出OpenSSL的某个版本的单一的大binary,这个是怎么生成的呢?我还是不太清楚。今天就先总结这么多吧。

你可能感兴趣的:(科研工具,ubuntu,linux,运维)