Build with support of GOST TLS via CryptoPro

Thanks to ALT Linux team for the initial idea how to build it without proprietary libcapi libraries from CryptoPro.
2025-02-23 17:42:45 +00:00 · 2019-09-21 23:02:43 +03:00 · 2019-09-21 23:02:43 +03:00 · 8b4fc265c2
commit 8b4fc265c2
parent 8109e1b0c1
5 changed files with 156 additions and 20 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -3,3 +3,5 @@ sources:
  depot_tools.tar.xz: 082b7f9a4dfa7eb03900755b4866aef2d73543a5
  icons.tar.bz2: a835954af164bf38f8ea4ea80608839bed7800a3
  new-system-icons.tar.xz: 89339b8b3b05359a8745ed7968fe148902a2fa28
+  chromium-gost-e3818b44e5b738666df02a4faa30025e8f70e4a9.tar.gz: 2928eaf224fb3da4c4a66fac59b2e795afd879fc374464a7513400ccb44bcd70
+  msspi-11be3c144405ac712432d172bca2863545f81fea.tar.gz: cfdb39e5c0ccef14901ed01300cc7cf17fb7c60c6794cf2fc2d54c297bb48b9a
--- a/Makefile.gost
+++ b/Makefile.gost
@ -0,0 +1,30 @@
+# Put https://github.com/deemru/chromium-gost with msspi submodule to %{_gostsourcedir}
+# Run this as:
+# make -C Makefile.gost SDIR=%{_gostsourcedir} CC=%{__cc} CXX=%{__cxx} CFLAGS=%{optflags}
+# Idea how to build this originates from ALT Linux
+
+SDIR ?= chromium-gost
+OUTDIR ?= .
+TMPDIR ?= $(shell mktemp -d)
+CC ?= gcc
+CXX ?= g++
+CRYPTOPRO_MAJOR_VERSION ?= 4
+CFLAGS ?= -O2 -g
+GOSTCFLAGS ?= 
+
+make:
+	cd $(TMPDIR) ; \
+	ar r empty.a ; \
+	$(CC) -shared empty.a -Wl,-soname=libcapi20.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi20.so ; \
+	$(CC) -shared empty.a -Wl,-soname=libcapi10.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi10.so
+
+	$(CXX) $(CFLAGS) $(GOSTCFLAGS) \
+		-Wall -Wl,--no-as-needed -std=c++11 -fPIC -shared -s -Werror -Wno-unused-function -ldl \
+		$(SDIR)/src/gostssl.cpp \
+		$(SDIR)/src/msspi/src/msspi.cpp \
+		-I $(SDIR)/src/msspi/src \
+		-I $(SDIR)/src/msspi/third_party/cprocsp/include \
+		-I third_party/boringssl/src/include \
+		-lcapi10 -lcapi20 \
+		-L$(TMPDIR) \
+		-o $(OUTDIR)/libgostssl.so
--- a/chromium-browser-stable.spec
+++ b/chromium-browser-stable.spec
@ -4,17 +4,25 @@
 #  [3] https://www.archlinux.org/packages/extra/x86_64/chromium/
 #  [4] https://src.fedoraproject.org/rpms/chromium/
 #  [5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/
+#  [6] https://packages.altlinux.org/ru/sisyphus/specfiles/chromium-gost

 # Get the version number of latest stable version
 # $ curl -s 'https://omahaproxy.appspot.com/all?os=linux&channel=stable' | sed 1d | cut -d , -f 3

 %global _build_pkgcheck_set %{nil}
+%bcond_without gost

 # eol 'fix' corrupts some .bin
 %define dont_fix_eol 1
 %define _disable_lto 1

+%if %{with gost}
+%define crname chromium-gost
+%define chromedriver chromedriver-gost
+%else
 %define crname chromium-browser
+%define chromedriver chromedriver
+%endif
 %define _crdir %{_libdir}/%{crname}
 %define _src %{_topdir}/SOURCES

@ -32,16 +40,28 @@
 %define google_default_client_id 1039996407057-q599ngv7i6ni4sbkd2fsns30246r9s9v.apps.googleusercontent.com
 %define google_default_client_secret mRHXPjlS4cLpp1beCiXoYbLZ

+# GOST patches and sources
+%define chromium_gost_commit e3818b44e5b738666df02a4faa30025e8f70e4a9
+%define msspi_commit 11be3c144405ac712432d172bca2863545f81fea
+%define _gostsourcedir %{_builddir}/chromium-gost
+
+%if ! %{with gost}
 Summary:	A fast web browser based on the Blink engine
 Name:		chromium-browser-stable
 Version:	77.0.3865.90
 Release:	1
+%else
+Summary:	Chromium web-browser with patches to make GOST TLS work via CryptoPro
+Name:		chromium-gost
+Version:	77.0.3865.90
+Release:	1
+%endif
 License:	BSD, LGPL
 Group:		Networking/WWW
 Url:		https://www.chromium.org/Home
 Source0:	https://commondatastorage.googleapis.com/chromium-browser-official/chromium-%{version}.tar.xz
 Source1:	chromium-wrapper
-Source2:	chromium-browser.desktop
+Source2:	%{crname}.desktop
 # Setup toolchain for rosa builds, from gentoo
 # https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files/toolchain/BUILD.gn
 Source5:	BUILD.gn
@ -52,6 +72,13 @@ Source32:	chromium.default
 Source100:	icons.tar.bz2
 Source997:	depot_tools.tar.xz
 Source999:	new-system-icons.tar.xz
+
+%if %{with gost}
+Source1100:	Makefile.gost
+Source1101:	https://github.com/deemru/chromium-gost/archive/%{chromium_gost_commit}/chromium-gost-%{chromium_gost_commit}.tar.gz
+Source1102:	https://github.com/deemru/msspi/archive/%{msspi_commit}/msspi-%{msspi_commit}.tar.gz
+%endif
+
 Patch4:		chromium-30.0.1599.66-master-prefs-path.patch
 # (cjw) Recognize mimetypes for matroska (.mkv) and AVI (.avi) formats (video/x-matroska and audio/x-matroska, video/x-msvideo) + handle A52 "AC3" and DTS compressed audio.
 Patch6:		chromium-55-extra-media.patch
@ -116,9 +143,8 @@ Patch700:	chromium-70.0.3538.77-no-system-nodejs.patch
 Patch717:	chromium-70.0.3538.67-disable-fontconfig-cache-magic.patch

 Provides:	%{crname} = %{EVRD}
-Conflicts:	chromium-browser-unstable
-Conflicts:	chromium-browser-beta
-Obsoletes:	chromium-browser < 1:9.0.597.94
+Conflicts:	%{crname}-unstable
+Conflicts:	%{crname}-beta
 BuildRequires:	bison
 %if 0%{?clang}
 BuildRequires:	clang
@ -201,19 +227,17 @@ BuildRequires:	pkgconfig(xtst)
 BuildRequires:	pkgconfig(zlib)
 BuildRequires:	pythonegg(beautifulsoup4)
 BuildRequires:	pythonegg(html5lib)
+%if %{with gost}
+BuildRequires:	chrpath
+%endif

 Suggests:	chromium-browser-pepper-flash
 Conflicts:	chromium-widevinecdm-plugin < 54
 Obsoletes:	chromium-widevinecdm-plugin < 54
-Conflicts:	chromium-browser-beta
-Conflicts:	chromium-browser-unstable
-Obsoletes:	chromium-browser < 1:9.0.597.94
-Obsoletes:	chromium-browser-pdf-plugin < 17.0.0.169
-
+Conflicts:	%{crname}-beta
+Conflicts:	%{crname}-unstable
 Provides:	%{crname} = %{EVRD}

-ExclusiveArch:	%{ix86} x86_64 armv7l
-
 %description
 Chromium is a browser that combines a minimal design with sophisticated
 technology to make the web faster, safer, and easier.
@ -242,19 +266,23 @@ your profile before changing channels.
 %{_crdir}/themes
 %{_crdir}/default_apps
 %{_crdir}/swiftshader
+%if %{with gost}
+%{_crdir}/libgostssl.so
+%{_crdir}/gostssl.so
+%endif
 %dir %{_crdir}/pepper
 %{_datadir}/applications/*.desktop
 %{_iconsdir}/hicolor/*/apps/chromium*

 %post
 # Remove chromium-browser-install package if we have it installed
-if [ `rpm -q chromium-browser-install | wc -w` == 1 ]
+if [ "$(rpm -q %{crname}-install | wc -w)" = 1 ]
 then
-	rpm -e chromium-browser-install
+	rpm -e %{crname}-install
 fi

 #----------------------------------------------------------------------------
-
+%if ! %{with gost}
 %package -n chromium-browser
 Summary:	A fast web browser based on the Blink engine
 Epoch:		1
@ -271,25 +299,25 @@ browser. If you prefer the dev channel browser, install the
 chromium-browser-unstable package instead.

 %files -n chromium-browser
-
+%endif
 #----------------------------------------------------------------------------

-%package -n chromedriver
+%package -n %{chromedriver}
 Summary:	WebDriver for Google Chrome/Chromium
 Group:		Development/Other
 # No %%{EVRD}
 Requires:	%{name} = %{version}-%{release}

-%description -n chromedriver
+%description -n %{chromedriver}
 WebDriver is an open source tool for automated testing of webapps across many
 browsers. It provides capabilities for navigating to web pages, user input,
 JavaScript execution, and more. ChromeDriver is a standalone server which
 implements WebDriver's wire protocol for Chromium. It is being developed by
 members of the Chromium and WebDriver teams.

-%files -n chromedriver
+%files -n %{chromedriver}
 %doc LICENSE AUTHORS
-%{_bindir}/chromedriver
+%{_bindir}/%{chromedriver}
 %{_crdir}/chromedriver

 #----------------------------------------------------------------------------
@ -297,6 +325,22 @@ members of the Chromium and WebDriver teams.
 %prep
 %setup -qn chromium-%{version} -a 997 -a 999

+%if %{with gost}
+mkdir -p %{_gostsourcedir}
+tar -C %{_gostsourcedir} --strip 1 -xf %{SOURCE1101}
+sed -i \
+	-e "s,^#include <../ssl/internal.h>,#include \"${PWD}/third_party/boringssl/src/ssl/internal.h\",g" \
+	%{_gostsourcedir}/src/gostssl.cpp
+tar -C %{_gostsourcedir}/src/msspi --strip 1 -xf %{SOURCE1102}
+patch -p1 < %{_gostsourcedir}/patch/chromium.patch
+( cd ./third_party/boringssl/src
+patch -p1 < %{_gostsourcedir}/patch/boringssl.patch )
+( cd %{_gostsourcedir}
+# Canonical library naming requires to prefix their names with "lib"
+# We make a symlink later
+grep -rIl gostssl.so . | xargs sed -i 's/gostssl.so/libgostssl.so/g' )
+%endif
+
 %patch4 -p1 -b .prefs
 %patch6 -p1
 %patch7 -p1
@ -590,6 +634,16 @@ third_party/node/update_npm_deps
 %endif

 %build
+
+%if %{with gost}
+make --file %{SOURCE1100} \
+	SDIR="%{_gostsourcedir}" \
+	OUTDIR="%{_gostsourcedir}" \
+	CC="%{__cc}" \
+	CXX="%{__cxx}" \
+	CFLAGS="%{optflags}"
+%endif
+
 %define system_gn_list ffmpeg
 # flac libxslt snappy yasm libpng zlib
 # opus
@ -764,4 +818,27 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{crname}
 install -m 0644 %{SOURCE30} %{buildroot}%{_sysconfdir}/%{crname}/
 install -m 0644 %{SOURCE31} %{buildroot}%{_sysconfdir}/%{crname}/

+%if %{with gost}
+install -m0644 %{_gostsourcedir}/libgostssl.so %{buildroot}%{_crdir}/libgostssl.so
+# Compatibility symlink: it is named gostssl.so in other builds of Chromium-GOST
+# but it is common to prefix libraries with "lib"
+( cd %{buildroot}%{_crdir}/ ; ln -s libgostssl.so gostssl.so )
+mv %{buildroot}%{_bindir}/chromedriver %{buildroot}%{_bindir}/%{chromedriver}
+
+# find all files
+find %{buildroot}%{_crdir} -type f |
+while read f; do
+# resolve symlinks
+t="$(readlink -ev "$f")"
+file "$t" | fgrep -qs ELF || continue
+# Add real RPATH. We need RPATH in GOST builds because 'dlopen(libgostssl.so)'
+# is performed, but libgostssl.so will not be found without RPATH.
+# Here we could change chromium.path from chromium-gost so that it has
+# an absolute path to "gostssl.so" instead of a relative one
+# but it is strange to hardcode absolute paths to libraries and will
+# break running our Chromium somewhere outside of standard locations.
+chrpath -r '%{_crdir}' "$t" ||:
+done
+%endif
+
 find %{buildroot} -name "*.nexe" -exec strip {} \;
--- a/chromium-browser.desktop
+++ b/chromium-browser.desktop
@ -242,7 +242,7 @@ Name[uk]=Нове вікно
 Name[vi]=Cửa sổ Mới
 Name[zh_CN]=新建窗口
 Name[zh_TW]=開新視窗
-Exec=chromium-browser
+Exec=chromium-browser --new-window

 [Desktop Action new-private-window]
 Name=New Incognito Window
--- a/chromium-gost.desktop
+++ b/chromium-gost.desktop
@ -0,0 +1,27 @@
+[Desktop Entry]
+Version=1.0
+Name=Chromium-GOST Web Browser
+Name[ru]=Браузер Chromium-ГОСТ
+GenericName=Chromium-GOST Web Browser
+GenericName[ru]=Браузер Chromium-ГОСТ
+Comment=Web Browser with support of GOST cryptography
+Comment[ru]=Веб-браузер Chromium с поддержкой ГОСТ-шифрования
+Exec=chromium-gost %u
+Icon=chromium-gost
+Terminal=false
+Type=Application
+StartupWMClass=Chromium-browser
+MimeType=application/x-extension-htm;application/x-extension-html;application/x-extension-shtml;application/x-extension-xht;application/x-extension-xhtml;application/xhtml+xml;text/html;x-scheme-handler/chrome;x-scheme-handler/ftp;x-scheme-handler/http;x-scheme-handler/https;
+Categories=GTK;Network;WebBrowser;X-MandrivaLinux-Internet-WebBrowsers;X-MandrivaLinux-CrossDesktop;
+Actions=new-window;new-private-window;
+
+[Desktop Action new-window]
+Name=New Window
+Name[ru]=Новое окно
+Exec=chromium-gost --new-window
+
+[Desktop Action new-private-window]
+Name=New Incognito Window
+Name[ru]=Новое окно в режиме инкогнито
+Exec=chromium-gost --incognito
+