From 8b4fc265c2c817a8b026f7b515eb2b805b7e355c Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sat, 21 Sep 2019 23:02:43 +0300 Subject: [PATCH] Build with support of GOST TLS via CryptoPro Thanks to ALT Linux team for the initial idea how to build it without proprietary libcapi libraries from CryptoPro. --- .abf.yml | 2 + Makefile.gost | 30 +++++++++ chromium-browser-stable.spec | 115 +++++++++++++++++++++++++++++------ chromium-browser.desktop | 2 +- chromium-gost.desktop | 27 ++++++++ 5 files changed, 156 insertions(+), 20 deletions(-) create mode 100644 Makefile.gost create mode 100644 chromium-gost.desktop diff --git a/.abf.yml b/.abf.yml index 345a1d1..8e4a7a2 100644 --- a/.abf.yml +++ b/.abf.yml @@ -3,3 +3,5 @@ sources: depot_tools.tar.xz: 082b7f9a4dfa7eb03900755b4866aef2d73543a5 icons.tar.bz2: a835954af164bf38f8ea4ea80608839bed7800a3 new-system-icons.tar.xz: 89339b8b3b05359a8745ed7968fe148902a2fa28 + chromium-gost-e3818b44e5b738666df02a4faa30025e8f70e4a9.tar.gz: 2928eaf224fb3da4c4a66fac59b2e795afd879fc374464a7513400ccb44bcd70 + msspi-11be3c144405ac712432d172bca2863545f81fea.tar.gz: cfdb39e5c0ccef14901ed01300cc7cf17fb7c60c6794cf2fc2d54c297bb48b9a diff --git a/Makefile.gost b/Makefile.gost new file mode 100644 index 0000000..e39f66c --- /dev/null +++ b/Makefile.gost @@ -0,0 +1,30 @@ +# Put https://github.com/deemru/chromium-gost with msspi submodule to %{_gostsourcedir} +# Run this as: +# make -C Makefile.gost SDIR=%{_gostsourcedir} CC=%{__cc} CXX=%{__cxx} CFLAGS=%{optflags} +# Idea how to build this originates from ALT Linux + +SDIR ?= chromium-gost +OUTDIR ?= . +TMPDIR ?= $(shell mktemp -d) +CC ?= gcc +CXX ?= g++ +CRYPTOPRO_MAJOR_VERSION ?= 4 +CFLAGS ?= -O2 -g +GOSTCFLAGS ?= + +make: + cd $(TMPDIR) ; \ + ar r empty.a ; \ + $(CC) -shared empty.a -Wl,-soname=libcapi20.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi20.so ; \ + $(CC) -shared empty.a -Wl,-soname=libcapi10.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi10.so + + $(CXX) $(CFLAGS) $(GOSTCFLAGS) \ + -Wall -Wl,--no-as-needed -std=c++11 -fPIC -shared -s -Werror -Wno-unused-function -ldl \ + $(SDIR)/src/gostssl.cpp \ + $(SDIR)/src/msspi/src/msspi.cpp \ + -I $(SDIR)/src/msspi/src \ + -I $(SDIR)/src/msspi/third_party/cprocsp/include \ + -I third_party/boringssl/src/include \ + -lcapi10 -lcapi20 \ + -L$(TMPDIR) \ + -o $(OUTDIR)/libgostssl.so diff --git a/chromium-browser-stable.spec b/chromium-browser-stable.spec index a5616ad..f83492a 100644 --- a/chromium-browser-stable.spec +++ b/chromium-browser-stable.spec @@ -4,17 +4,25 @@ # [3] https://www.archlinux.org/packages/extra/x86_64/chromium/ # [4] https://src.fedoraproject.org/rpms/chromium/ # [5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/ +# [6] https://packages.altlinux.org/ru/sisyphus/specfiles/chromium-gost # Get the version number of latest stable version # $ curl -s 'https://omahaproxy.appspot.com/all?os=linux&channel=stable' | sed 1d | cut -d , -f 3 %global _build_pkgcheck_set %{nil} +%bcond_without gost # eol 'fix' corrupts some .bin %define dont_fix_eol 1 %define _disable_lto 1 +%if %{with gost} +%define crname chromium-gost +%define chromedriver chromedriver-gost +%else %define crname chromium-browser +%define chromedriver chromedriver +%endif %define _crdir %{_libdir}/%{crname} %define _src %{_topdir}/SOURCES @@ -32,16 +40,28 @@ %define google_default_client_id 1039996407057-q599ngv7i6ni4sbkd2fsns30246r9s9v.apps.googleusercontent.com %define google_default_client_secret mRHXPjlS4cLpp1beCiXoYbLZ +# GOST patches and sources +%define chromium_gost_commit e3818b44e5b738666df02a4faa30025e8f70e4a9 +%define msspi_commit 11be3c144405ac712432d172bca2863545f81fea +%define _gostsourcedir %{_builddir}/chromium-gost + +%if ! %{with gost} Summary: A fast web browser based on the Blink engine Name: chromium-browser-stable Version: 77.0.3865.90 Release: 1 +%else +Summary: Chromium web-browser with patches to make GOST TLS work via CryptoPro +Name: chromium-gost +Version: 77.0.3865.90 +Release: 1 +%endif License: BSD, LGPL Group: Networking/WWW Url: https://www.chromium.org/Home Source0: https://commondatastorage.googleapis.com/chromium-browser-official/chromium-%{version}.tar.xz Source1: chromium-wrapper -Source2: chromium-browser.desktop +Source2: %{crname}.desktop # Setup toolchain for rosa builds, from gentoo # https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files/toolchain/BUILD.gn Source5: BUILD.gn @@ -52,6 +72,13 @@ Source32: chromium.default Source100: icons.tar.bz2 Source997: depot_tools.tar.xz Source999: new-system-icons.tar.xz + +%if %{with gost} +Source1100: Makefile.gost +Source1101: https://github.com/deemru/chromium-gost/archive/%{chromium_gost_commit}/chromium-gost-%{chromium_gost_commit}.tar.gz +Source1102: https://github.com/deemru/msspi/archive/%{msspi_commit}/msspi-%{msspi_commit}.tar.gz +%endif + Patch4: chromium-30.0.1599.66-master-prefs-path.patch # (cjw) Recognize mimetypes for matroska (.mkv) and AVI (.avi) formats (video/x-matroska and audio/x-matroska, video/x-msvideo) + handle A52 "AC3" and DTS compressed audio. Patch6: chromium-55-extra-media.patch @@ -116,9 +143,8 @@ Patch700: chromium-70.0.3538.77-no-system-nodejs.patch Patch717: chromium-70.0.3538.67-disable-fontconfig-cache-magic.patch Provides: %{crname} = %{EVRD} -Conflicts: chromium-browser-unstable -Conflicts: chromium-browser-beta -Obsoletes: chromium-browser < 1:9.0.597.94 +Conflicts: %{crname}-unstable +Conflicts: %{crname}-beta BuildRequires: bison %if 0%{?clang} BuildRequires: clang @@ -201,19 +227,17 @@ BuildRequires: pkgconfig(xtst) BuildRequires: pkgconfig(zlib) BuildRequires: pythonegg(beautifulsoup4) BuildRequires: pythonegg(html5lib) +%if %{with gost} +BuildRequires: chrpath +%endif Suggests: chromium-browser-pepper-flash Conflicts: chromium-widevinecdm-plugin < 54 Obsoletes: chromium-widevinecdm-plugin < 54 -Conflicts: chromium-browser-beta -Conflicts: chromium-browser-unstable -Obsoletes: chromium-browser < 1:9.0.597.94 -Obsoletes: chromium-browser-pdf-plugin < 17.0.0.169 - +Conflicts: %{crname}-beta +Conflicts: %{crname}-unstable Provides: %{crname} = %{EVRD} -ExclusiveArch: %{ix86} x86_64 armv7l - %description Chromium is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. @@ -242,19 +266,23 @@ your profile before changing channels. %{_crdir}/themes %{_crdir}/default_apps %{_crdir}/swiftshader +%if %{with gost} +%{_crdir}/libgostssl.so +%{_crdir}/gostssl.so +%endif %dir %{_crdir}/pepper %{_datadir}/applications/*.desktop %{_iconsdir}/hicolor/*/apps/chromium* %post # Remove chromium-browser-install package if we have it installed -if [ `rpm -q chromium-browser-install | wc -w` == 1 ] +if [ "$(rpm -q %{crname}-install | wc -w)" = 1 ] then - rpm -e chromium-browser-install + rpm -e %{crname}-install fi #---------------------------------------------------------------------------- - +%if ! %{with gost} %package -n chromium-browser Summary: A fast web browser based on the Blink engine Epoch: 1 @@ -271,25 +299,25 @@ browser. If you prefer the dev channel browser, install the chromium-browser-unstable package instead. %files -n chromium-browser - +%endif #---------------------------------------------------------------------------- -%package -n chromedriver +%package -n %{chromedriver} Summary: WebDriver for Google Chrome/Chromium Group: Development/Other # No %%{EVRD} Requires: %{name} = %{version}-%{release} -%description -n chromedriver +%description -n %{chromedriver} WebDriver is an open source tool for automated testing of webapps across many browsers. It provides capabilities for navigating to web pages, user input, JavaScript execution, and more. ChromeDriver is a standalone server which implements WebDriver's wire protocol for Chromium. It is being developed by members of the Chromium and WebDriver teams. -%files -n chromedriver +%files -n %{chromedriver} %doc LICENSE AUTHORS -%{_bindir}/chromedriver +%{_bindir}/%{chromedriver} %{_crdir}/chromedriver #---------------------------------------------------------------------------- @@ -297,6 +325,22 @@ members of the Chromium and WebDriver teams. %prep %setup -qn chromium-%{version} -a 997 -a 999 +%if %{with gost} +mkdir -p %{_gostsourcedir} +tar -C %{_gostsourcedir} --strip 1 -xf %{SOURCE1101} +sed -i \ + -e "s,^#include <../ssl/internal.h>,#include \"${PWD}/third_party/boringssl/src/ssl/internal.h\",g" \ + %{_gostsourcedir}/src/gostssl.cpp +tar -C %{_gostsourcedir}/src/msspi --strip 1 -xf %{SOURCE1102} +patch -p1 < %{_gostsourcedir}/patch/chromium.patch +( cd ./third_party/boringssl/src +patch -p1 < %{_gostsourcedir}/patch/boringssl.patch ) +( cd %{_gostsourcedir} +# Canonical library naming requires to prefix their names with "lib" +# We make a symlink later +grep -rIl gostssl.so . | xargs sed -i 's/gostssl.so/libgostssl.so/g' ) +%endif + %patch4 -p1 -b .prefs %patch6 -p1 %patch7 -p1 @@ -590,6 +634,16 @@ third_party/node/update_npm_deps %endif %build + +%if %{with gost} +make --file %{SOURCE1100} \ + SDIR="%{_gostsourcedir}" \ + OUTDIR="%{_gostsourcedir}" \ + CC="%{__cc}" \ + CXX="%{__cxx}" \ + CFLAGS="%{optflags}" +%endif + %define system_gn_list ffmpeg # flac libxslt snappy yasm libpng zlib # opus @@ -764,4 +818,27 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{crname} install -m 0644 %{SOURCE30} %{buildroot}%{_sysconfdir}/%{crname}/ install -m 0644 %{SOURCE31} %{buildroot}%{_sysconfdir}/%{crname}/ +%if %{with gost} +install -m0644 %{_gostsourcedir}/libgostssl.so %{buildroot}%{_crdir}/libgostssl.so +# Compatibility symlink: it is named gostssl.so in other builds of Chromium-GOST +# but it is common to prefix libraries with "lib" +( cd %{buildroot}%{_crdir}/ ; ln -s libgostssl.so gostssl.so ) +mv %{buildroot}%{_bindir}/chromedriver %{buildroot}%{_bindir}/%{chromedriver} + +# find all files +find %{buildroot}%{_crdir} -type f | +while read f; do +# resolve symlinks +t="$(readlink -ev "$f")" +file "$t" | fgrep -qs ELF || continue +# Add real RPATH. We need RPATH in GOST builds because 'dlopen(libgostssl.so)' +# is performed, but libgostssl.so will not be found without RPATH. +# Here we could change chromium.path from chromium-gost so that it has +# an absolute path to "gostssl.so" instead of a relative one +# but it is strange to hardcode absolute paths to libraries and will +# break running our Chromium somewhere outside of standard locations. +chrpath -r '%{_crdir}' "$t" ||: +done +%endif + find %{buildroot} -name "*.nexe" -exec strip {} \; diff --git a/chromium-browser.desktop b/chromium-browser.desktop index e6507a7..492b0ac 100644 --- a/chromium-browser.desktop +++ b/chromium-browser.desktop @@ -242,7 +242,7 @@ Name[uk]=Нове вікно Name[vi]=Cửa sổ Mới Name[zh_CN]=新建窗口 Name[zh_TW]=開新視窗 -Exec=chromium-browser +Exec=chromium-browser --new-window [Desktop Action new-private-window] Name=New Incognito Window diff --git a/chromium-gost.desktop b/chromium-gost.desktop new file mode 100644 index 0000000..dac18dd --- /dev/null +++ b/chromium-gost.desktop @@ -0,0 +1,27 @@ +[Desktop Entry] +Version=1.0 +Name=Chromium-GOST Web Browser +Name[ru]=Браузер Chromium-ГОСТ +GenericName=Chromium-GOST Web Browser +GenericName[ru]=Браузер Chromium-ГОСТ +Comment=Web Browser with support of GOST cryptography +Comment[ru]=Веб-браузер Chromium с поддержкой ГОСТ-шифрования +Exec=chromium-gost %u +Icon=chromium-gost +Terminal=false +Type=Application +StartupWMClass=Chromium-browser +MimeType=application/x-extension-htm;application/x-extension-html;application/x-extension-shtml;application/x-extension-xht;application/x-extension-xhtml;application/xhtml+xml;text/html;x-scheme-handler/chrome;x-scheme-handler/ftp;x-scheme-handler/http;x-scheme-handler/https; +Categories=GTK;Network;WebBrowser;X-MandrivaLinux-Internet-WebBrowsers;X-MandrivaLinux-CrossDesktop; +Actions=new-window;new-private-window; + +[Desktop Action new-window] +Name=New Window +Name[ru]=Новое окно +Exec=chromium-gost --new-window + +[Desktop Action new-private-window] +Name=New Incognito Window +Name[ru]=Новое окно в режиме инкогнито +Exec=chromium-gost --incognito +