Why the SM2 and SM4 algorithms are disabled

The SM series algorithms are commercial cryptographic algorithms developed in China and are supported in OpenSSL 1.1.1 and newer versions.

There are a number of existing services in China that are currently being retrofitted to support SM, particularly in key banking, finance and securities industries.

I am a developer from China and recently developed some business that needed to use the SM series algorithm support, but I found that it was deliberately disabled in AlmaLinux ( https://git.almalinux.org/rpms/openssl/src/branch/c9/SPECS/openssl. spec#L309 ).

Is there any way I can enable it? Apart from recompiling OpenSSL manually.

change the specfile and rebuild the rpm’s - bit more maintainable/integrated to your system than a tarball/git extracted to /opt or something.

there’s no easy runtime flag to re-enable it, so any way you go you will have to compile something.

you probably want to add a suffix/epoch or dnf versionlock to prevent upgrades overwriting your new package.

anyway, here’s what i tried, i couldn’t get it to pass the build tests - i think because my running system couldn’t generate an sm4 certificate, but if you disable the test suite it builds ok - you may want to fix that before deploying it in banks!

# install dependencies
sudo dnf -y install lksctp-tools-devel perl-Digest-SHA perl-Pod-Html \
    perl-FindBin perl-IPC-Cmd perl-Test-Harness perl-Test-Simple \
    tar gcc-c++ redhat-rpm-config almalinux-release which xz sed make bzip2 \
    gzip gcc coreutils unzip shadow-utils diffutils cpio bash gawk rpm-build \
    info patch util-linux findutils grep zlib scl-utils scl-utils-build \
    git-core kernel-rpm-macros

# download srpm:
curl -O https://repo.almalinux.org/vault/9.1/BaseOS/Source/Packages/openssl-3.0.1-43.el9_0.src.rpm

# install srpm:
rpm -ivh openssl-3.0.1-43.el9_0.src.rpm

# change "no-sm2 no-sm4" to "enable-sm2 enable-sm4" in the ./Configure line in the spec file
# comment out the "make test HARNESS_JOBS=8" line in the spec file

# rebuild binary from modified specfile:
rpmbuild -bb --target x86_64 --nodeps ~/rpmbuild/SPECS/openssl.spec

Then when you install them, you get:

$ openssl enc -list|grep sm4
-sm4                       -sm4-cbc                   -sm4-cfb
-sm4-ctr                   -sm4-ecb                   -sm4-ofb

the EulerOS folks seem to have done similar:



1 Like

This solved my problem.

But I would still like to know what would disable it because I see it is supported in Ubuntu.