The SM series algorithms are commercial cryptographic algorithms developed in China and are supported in OpenSSL 1.1.1 and newer versions.
There are a number of existing services in China that are currently being retrofitted to support SM, particularly in key banking, finance and securities industries.
I am a developer from China and recently developed some business that needed to use the SM series algorithm support, but I found that it was deliberately disabled in AlmaLinux (
https://git.almalinux.org/rpms/openssl/src/branch/c9/SPECS/openssl. spec#L309 ).
Is there any way I can enable it? Apart from recompiling OpenSSL manually.
change the specfile and rebuild the rpm’s - bit more maintainable/integrated to your system than a tarball/git extracted to /opt or something.
there’s no easy runtime flag to re-enable it, so any way you go you will have to compile something.
you probably want to add a suffix/epoch or
dnf versionlock to prevent upgrades overwriting your new package.
anyway, here’s what i tried, i couldn’t get it to pass the build tests - i think because my running system couldn’t generate an sm4 certificate, but if you disable the test suite it builds ok - you may want to fix that before deploying it in banks!
# install dependencies
sudo dnf -y install lksctp-tools-devel perl-Digest-SHA perl-Pod-Html \
perl-FindBin perl-IPC-Cmd perl-Test-Harness perl-Test-Simple \
tar gcc-c++ redhat-rpm-config almalinux-release which xz sed make bzip2 \
gzip gcc coreutils unzip shadow-utils diffutils cpio bash gawk rpm-build \
info patch util-linux findutils grep zlib scl-utils scl-utils-build \
# download srpm:
curl -O https://repo.almalinux.org/vault/9.1/BaseOS/Source/Packages/openssl-3.0.1-43.el9_0.src.rpm
# install srpm:
rpm -ivh openssl-3.0.1-43.el9_0.src.rpm
# change "no-sm2 no-sm4" to "enable-sm2 enable-sm4" in the ./Configure line in the spec file
# comment out the "make test HARNESS_JOBS=8" line in the spec file
# rebuild binary from modified specfile:
rpmbuild -bb --target x86_64 --nodeps ~/rpmbuild/SPECS/openssl.spec
Then when you install them, you get:
$ openssl enc -list|grep sm4
-sm4 -sm4-cbc -sm4-cfb
-sm4-ctr -sm4-ecb -sm4-ofb
the EulerOS folks seem to have done similar:
This solved my problem.
But I would still like to know what would disable it because I see it is supported in Ubuntu.