openssl with EC on CentOS 6.4

1. I need your help to rebuild an openssl RPM package with EC (Elliptic Curves).
2.  
3. The target OS is CentOS 6.4. In CentOS, EC (elliptic curves) is disabled due to patent fears.
4. The strategy is to
5. 1) Download the "official" CentOS source package
6. 2) Modify the .spec file to enable elliptic curves
7. 3) Rebuild the package using rpmbuild
8.  
9. Right now the rebuild compiles about 95% through.
10.  
11. I need your help to eliminate the errors.
12.  
13. The build is done on a fresh Amazon Cloud server which allows anyone to precisely duplicate every step taken.
14.  
15. # 1. Log into AWS (Amazon Web Services) and create a public key. http://aws.amazon.com/
16. # 2. Download your public key and install into your local client e.g. putty or ssh.
17. # 3. Instantiate this CentOS 6.4 machine: https://aws.amazon.com/marketplace/pp/B00A6L6F9I
18. # 4. Log into your new Centos 6.4 using ssh or putty, update and install a few packages:
19.  
20. yum -y update # Update all packages on new machine
21. yum -y groupinstall 'Development tools'
22. yum -y install zlib-devel
23. yum -y install krb5-devel
24.  
25. cat /etc/centos-release
26. # CentOS release 6.4 (Final)
27.  
28. uname -rpo
29. # 2.6.32-279.el6.x86_64 x86_64 GNU/Linux
30.  
31. gcc --version
32. # gcc 4.4.7 20120313 (Red Hat 4.4.7-3)
33.  
34. # 5. Now we are ready for our first rebuild of openssl. We will do the build as a a new user "abcd"
35.  
36. userdel -rf abcd ; useradd abcd ; su abcd # Wipe user abcd, create fresh user abcd, become user abcd
37. echo "%_topdir /home/$USER/rpmbuild" > ~/.rpmmacros ; echo "%packager Test User <[email protected]>" >> ~/.rpmmacros # Tell rpm where to install files and fake id
38. echo "%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}" >> ~/.rpmmacros # Tell rpm the architecture
39. cd ~ ; curl -O http://vault.centos.org/6.4/os/Source/SPackages/openssl-1.0.0-27.el6.src.rpm # Get openssl source
40. rpm --install openssl-1.0.0-27.el6.src.rpm 1>e1 2>e2 # Extract the source package to /rpmbuild/SOURCES
41. cd ~/rpmbuild/SPECS # This is where the package .spec file is extracted to
42. rpmbuild -bb openssl.spec 1>e1 2>e2 & # Rebuild the package using the edited .spec file
43.  
44. jobs # A command to check if the compile is still running
45. # [1]+ Running rpmbuild -bb openssl.spec > e1 2> e2 &
46.  
47. tail -f e1 # or "tail -f e2" # A command to watch the build progress
48.  
49. less -i e2 # Command to let you browse the build errors. Search for "error" with /error
50.  
51. # This build completes successfully with no build errors, proving that we have a good build environment.
52.  
53. # 6. Now we are ready to do a second rebuild. This time we tun on elliptic curves.
54.  
55. cd ~/rpmbuild/SPECS # This is where the .spec file is that we want to change
56. sed -i -e "s/no-ec/enable-ec/; s/no-ecdh/ /; s/no-ecdsa/ /" ~/rpmbuild/SPECS/openssl.spec
57. sed -i -e "s/^Source1: hobble-openssl/#&/; s/^%.SOURCE1. /#&/" ~/rpmbuild/SPECS/openssl.spec # Edit the .spec file
58.  
59. # The changes are done, and we can start the second rebuild
60.  
61. rpmbuild -bb openssl.spec 1>e1 2>e2 & # Rebuild the package using the edited .spec file
62.  
63. jobs # Use this command to see when the build is done.
64.  
65. less -i e2 # Command to look at the build errors file. Use /error to search for errors.
66.  
67. # ====================================================================
68. # =========================== After the build ========================
69. # ====================================================================
70.  
71. We made the following five changes (see the sed lines above) to enable elliptic curves:
72.  
73. s/no-ec/enable-ec/
74. s/no-ecdh/ /
75. s/no-ecdsa/ /
76. s/^Source1: hobble-openssl/#&/
77. s/^%.SOURCE1. /#&/
78.  
79. When the package is built with these five changes, there are build errors.
80.  
81. Build errors here, near the end of the file: http://pastebin.com/8aGxEd6n
82.  
83. I find these errors hard to resolve due to my inexperience - this is where I need help.
84.  
85. p_lib.c:318: error: expected declaration specifiers or '...' before 'EC_KEY'
86.  
87. After looking at gcc preprocessor output (gcc -E) I concluded that EC_KEY is undefined.
88.  
89. I found this reference handy: http://fossies.org/dox/openssl-1.0.1e/index.html
90.  
91. EC_KEY is defined in /crypto/include/ec.h
92.  
93. If I manually edit p_lib.c to include ec.h, this error vanishes.
94.  
95. So, for some reason, ec.h is not included in p_lib.c. I wonder why and how to properly fix it.
96.  
97. Comments and suggestions welcome.
98.  
99. Notes
100.  
101. tkil's (freenode #openssl) build file: http://pastebin.com/W9yhbCwt
102. Note how he adds /crypto/include (the file i'm missing) into the makefile...
103. perl -i~ -plwe 's!^(CFLAG=.*$)!$1 -DPURIFY -I /opt/crypto/include!' Makefile
104.  
105. I also tried an experimental build where I deleted everything in rpmbuild/SOURCES/hobble-openssl.
106. hobble-openssl looks for all EC source files and deletes them. I did not edit openssl.spec in /rpmbuild/SPECS.
107. This experiment built successfully, which tells me that the problem is likely not due to the presence/absence of hobble-openssl.