Build with support of GOST TLS via CryptoPro

Thanks to ALT Linux team for the initial idea how to build it without proprietary libcapi libraries from CryptoPro.
2025-02-23 17:42:45 +00:00 · 2019-09-21 23:02:43 +03:00 · 2019-09-21 23:02:43 +03:00 · 8b4fc265c2
commit 8b4fc265c2
parent 8109e1b0c1
5 changed files with 156 additions and 20 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -3,3 +3,5 @@ sources:
  depot_tools.tar.xz: 082b7f9a4dfa7eb03900755b4866aef2d73543a5
  icons.tar.bz2: a835954af164bf38f8ea4ea80608839bed7800a3
  new-system-icons.tar.xz: 89339b8b3b05359a8745ed7968fe148902a2fa28
  chromium-gost-e3818b44e5b738666df02a4faa30025e8f70e4a9.tar.gz: 2928eaf224fb3da4c4a66fac59b2e795afd879fc374464a7513400ccb44bcd70
  msspi-11be3c144405ac712432d172bca2863545f81fea.tar.gz: cfdb39e5c0ccef14901ed01300cc7cf17fb7c60c6794cf2fc2d54c297bb48b9a
--- a/Makefile.gost
+++ b/Makefile.gost
@ -0,0 +1,30 @@
 # Put https://github.com/deemru/chromium-gost with msspi submodule to %{_gostsourcedir}
 # Run this as:
 # make -C Makefile.gost SDIR=%{_gostsourcedir} CC=%{__cc} CXX=%{__cxx} CFLAGS=%{optflags}
 # Idea how to build this originates from ALT Linux
 SDIR ?= chromium-gost
 OUTDIR ?= .
 TMPDIR ?= $(shell mktemp -d)
 CC ?= gcc
 CXX ?= g++
 CRYPTOPRO_MAJOR_VERSION ?= 4
 CFLAGS ?= -O2 -g
 GOSTCFLAGS ?= 
 make:
 	cd $(TMPDIR) ; \
 	ar r empty.a ; \
 	$(CC) -shared empty.a -Wl,-soname=libcapi20.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi20.so ; \
 	$(CC) -shared empty.a -Wl,-soname=libcapi10.so.$(CRYPTOPRO_MAJOR_VERSION) -o libcapi10.so
 	$(CXX) $(CFLAGS) $(GOSTCFLAGS) \
 		-Wall -Wl,--no-as-needed -std=c++11 -fPIC -shared -s -Werror -Wno-unused-function -ldl \
 		$(SDIR)/src/gostssl.cpp \
 		$(SDIR)/src/msspi/src/msspi.cpp \
 		-I $(SDIR)/src/msspi/src \
 		-I $(SDIR)/src/msspi/third_party/cprocsp/include \
 		-I third_party/boringssl/src/include \
 		-lcapi10 -lcapi20 \
 		-L$(TMPDIR) \
 		-o $(OUTDIR)/libgostssl.so
--- a/chromium-browser-stable.spec
+++ b/chromium-browser-stable.spec
@ -4,17 +4,25 @@
 #  [3] https://www.archlinux.org/packages/extra/x86_64/chromium/
 #  [4] https://src.fedoraproject.org/rpms/chromium/
 #  [5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/
 #  [6] https://packages.altlinux.org/ru/sisyphus/specfiles/chromium-gost
 # Get the version number of latest stable version
 # $ curl -s 'https://omahaproxy.appspot.com/all?os=linux&channel=stable' | sed 1d | cut -d , -f 3
 %global _build_pkgcheck_set %{nil}
 %bcond_without gost
 # eol 'fix' corrupts some .bin
 %define dont_fix_eol 1
 %define _disable_lto 1
 %if %{with gost}
 %define crname chromium-gost
 %define chromedriver chromedriver-gost
 %else
 %define crname chromium-browser
 %define chromedriver chromedriver
 %endif
 %define _crdir %{_libdir}/%{crname}
 %define _src %{_topdir}/SOURCES
@ -32,16 +40,28 @@
 %define google_default_client_id 1039996407057-q599ngv7i6ni4sbkd2fsns30246r9s9v.apps.googleusercontent.com
 %define google_default_client_secret mRHXPjlS4cLpp1beCiXoYbLZ
 # GOST patches and sources
 %define chromium_gost_commit e3818b44e5b738666df02a4faa30025e8f70e4a9
 %define msspi_commit 11be3c144405ac712432d172bca2863545f81fea
 %define _gostsourcedir %{_builddir}/chromium-gost
 %if ! %{with gost}
 Summary:	A fast web browser based on the Blink engine
 Name:		chromium-browser-stable
 Version:	77.0.3865.90
 Release:	1
 %else
 Summary:	Chromium web-browser with patches to make GOST TLS work via CryptoPro
 Name:		chromium-gost
 Version:	77.0.3865.90
 Release:	1
 %endif
 License:	BSD, LGPL
 Group:		Networking/WWW
 Url:		https://www.chromium.org/Home
 Source0:	https://commondatastorage.googleapis.com/chromium-browser-official/chromium-%{version}.tar.xz
 Source1:	chromium-wrapper
-Source2:	chromium-browser.desktop
+Source2:	%{crname}.desktop
 # Setup toolchain for rosa builds, from gentoo
 # https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files/toolchain/BUILD.gn
 Source5:	BUILD.gn
@ -52,6 +72,13 @@ Source32:	chromium.default
 Source100:	icons.tar.bz2
 Source997:	depot_tools.tar.xz
 Source999:	new-system-icons.tar.xz
 %if %{with gost}
 Source1100:	Makefile.gost
 Source1101:	https://github.com/deemru/chromium-gost/archive/%{chromium_gost_commit}/chromium-gost-%{chromium_gost_commit}.tar.gz
 Source1102:	https://github.com/deemru/msspi/archive/%{msspi_commit}/msspi-%{msspi_commit}.tar.gz
 %endif
 Patch4:		chromium-30.0.1599.66-master-prefs-path.patch
 # (cjw) Recognize mimetypes for matroska (.mkv) and AVI (.avi) formats (video/x-matroska and audio/x-matroska, video/x-msvideo) + handle A52 "AC3" and DTS compressed audio.
 Patch6:		chromium-55-extra-media.patch
@ -116,9 +143,8 @@ Patch700:	chromium-70.0.3538.77-no-system-nodejs.patch
 Patch717:	chromium-70.0.3538.67-disable-fontconfig-cache-magic.patch
 Provides:	%{crname} = %{EVRD}
-Conflicts:	chromium-browser-unstable
+Conflicts:	%{crname}-unstable
-Conflicts:	chromium-browser-beta
+Conflicts:	%{crname}-beta
 Obsoletes:	chromium-browser < 1:9.0.597.94
 BuildRequires:	bison
 %if 0%{?clang}
 BuildRequires:	clang
@ -201,19 +227,17 @@ BuildRequires:	pkgconfig(xtst)
 BuildRequires:	pkgconfig(zlib)
 BuildRequires:	pythonegg(beautifulsoup4)
 BuildRequires:	pythonegg(html5lib)
 %if %{with gost}
 BuildRequires:	chrpath
 %endif
 Suggests:	chromium-browser-pepper-flash
 Conflicts:	chromium-widevinecdm-plugin < 54
 Obsoletes:	chromium-widevinecdm-plugin < 54
-Conflicts:	chromium-browser-beta
+Conflicts:	%{crname}-beta
-Conflicts:	chromium-browser-unstable
+Conflicts:	%{crname}-unstable
 Obsoletes:	chromium-browser < 1:9.0.597.94
 Obsoletes:	chromium-browser-pdf-plugin < 17.0.0.169
 Provides:	%{crname} = %{EVRD}
 ExclusiveArch:	%{ix86} x86_64 armv7l
 %description
 Chromium is a browser that combines a minimal design with sophisticated
 technology to make the web faster, safer, and easier.
@ -242,19 +266,23 @@ your profile before changing channels.
 %{_crdir}/themes
 %{_crdir}/default_apps
 %{_crdir}/swiftshader
 %if %{with gost}
 %{_crdir}/libgostssl.so
 %{_crdir}/gostssl.so
 %endif
 %dir %{_crdir}/pepper
 %{_datadir}/applications/*.desktop
 %{_iconsdir}/hicolor/*/apps/chromium*
 %post
 # Remove chromium-browser-install package if we have it installed
-if [ `rpm -q chromium-browser-install | wc -w` == 1 ]
+if [ "$(rpm -q %{crname}-install | wc -w)" = 1 ]
 then
-	rpm -e chromium-browser-install
+	rpm -e %{crname}-install
 fi
 #----------------------------------------------------------------------------
-
+%if ! %{with gost}
 %package -n chromium-browser
 Summary:	A fast web browser based on the Blink engine
 Epoch:		1
@ -271,25 +299,25 @@ browser. If you prefer the dev channel browser, install the
 chromium-browser-unstable package instead.
 %files -n chromium-browser
-
+%endif
 #----------------------------------------------------------------------------
-%package -n chromedriver
+%package -n %{chromedriver}
 Summary:	WebDriver for Google Chrome/Chromium
 Group:		Development/Other
 # No %%{EVRD}
 Requires:	%{name} = %{version}-%{release}
-%description -n chromedriver
+%description -n %{chromedriver}
 WebDriver is an open source tool for automated testing of webapps across many
 browsers. It provides capabilities for navigating to web pages, user input,
 JavaScript execution, and more. ChromeDriver is a standalone server which
 implements WebDriver's wire protocol for Chromium. It is being developed by
 members of the Chromium and WebDriver teams.
-%files -n chromedriver
+%files -n %{chromedriver}
 %doc LICENSE AUTHORS
-%{_bindir}/chromedriver
+%{_bindir}/%{chromedriver}
 %{_crdir}/chromedriver
 #----------------------------------------------------------------------------
@ -297,6 +325,22 @@ members of the Chromium and WebDriver teams.
 %prep
 %setup -qn chromium-%{version} -a 997 -a 999
 %if %{with gost}
 mkdir -p %{_gostsourcedir}
 tar -C %{_gostsourcedir} --strip 1 -xf %{SOURCE1101}
 sed -i \
 	-e "s,^#include <../ssl/internal.h>,#include \"${PWD}/third_party/boringssl/src/ssl/internal.h\",g" \
 	%{_gostsourcedir}/src/gostssl.cpp
 tar -C %{_gostsourcedir}/src/msspi --strip 1 -xf %{SOURCE1102}
 patch -p1 < %{_gostsourcedir}/patch/chromium.patch
 ( cd ./third_party/boringssl/src
 patch -p1 < %{_gostsourcedir}/patch/boringssl.patch )
 ( cd %{_gostsourcedir}
 # Canonical library naming requires to prefix their names with "lib"
 # We make a symlink later
 grep -rIl gostssl.so . | xargs sed -i 's/gostssl.so/libgostssl.so/g' )
 %endif
 %patch4 -p1 -b .prefs
 %patch6 -p1
 %patch7 -p1
@ -590,6 +634,16 @@ third_party/node/update_npm_deps
 %endif
 %build
 %if %{with gost}
 make --file %{SOURCE1100} \
 	SDIR="%{_gostsourcedir}" \
 	OUTDIR="%{_gostsourcedir}" \
 	CC="%{__cc}" \
 	CXX="%{__cxx}" \
 	CFLAGS="%{optflags}"
 %endif
 %define system_gn_list ffmpeg
 # flac libxslt snappy yasm libpng zlib
 # opus
@ -764,4 +818,27 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{crname}
 install -m 0644 %{SOURCE30} %{buildroot}%{_sysconfdir}/%{crname}/
 install -m 0644 %{SOURCE31} %{buildroot}%{_sysconfdir}/%{crname}/
 %if %{with gost}
 install -m0644 %{_gostsourcedir}/libgostssl.so %{buildroot}%{_crdir}/libgostssl.so
 # Compatibility symlink: it is named gostssl.so in other builds of Chromium-GOST
 # but it is common to prefix libraries with "lib"
 ( cd %{buildroot}%{_crdir}/ ; ln -s libgostssl.so gostssl.so )
 mv %{buildroot}%{_bindir}/chromedriver %{buildroot}%{_bindir}/%{chromedriver}
 # find all files
 find %{buildroot}%{_crdir} -type f |
 while read f; do
 # resolve symlinks
 t="$(readlink -ev "$f")"
 file "$t" | fgrep -qs ELF || continue
 # Add real RPATH. We need RPATH in GOST builds because 'dlopen(libgostssl.so)'
 # is performed, but libgostssl.so will not be found without RPATH.
 # Here we could change chromium.path from chromium-gost so that it has
 # an absolute path to "gostssl.so" instead of a relative one
 # but it is strange to hardcode absolute paths to libraries and will
 # break running our Chromium somewhere outside of standard locations.
 chrpath -r '%{_crdir}' "$t" ||:
 done
 %endif
 find %{buildroot} -name "*.nexe" -exec strip {} \;
--- a/chromium-browser.desktop
+++ b/chromium-browser.desktop
@ -242,7 +242,7 @@ Name[uk]=Нове вікно
 Name[vi]=Cửa sổ Mới
 Name[zh_CN]=新建窗口
 Name[zh_TW]=開新視窗
-Exec=chromium-browser
+Exec=chromium-browser --new-window
 [Desktop Action new-private-window]
 Name=New Incognito Window
--- a/chromium-gost.desktop
+++ b/chromium-gost.desktop
@ -0,0 +1,27 @@
 [Desktop Entry]
 Version=1.0
 Name=Chromium-GOST Web Browser
 Name[ru]=Браузер Chromium-ГОСТ
 GenericName=Chromium-GOST Web Browser
 GenericName[ru]=Браузер Chromium-ГОСТ
 Comment=Web Browser with support of GOST cryptography
 Comment[ru]=Веб-браузер Chromium с поддержкой ГОСТ-шифрования
 Exec=chromium-gost %u
 Icon=chromium-gost
 Terminal=false
 Type=Application
 StartupWMClass=Chromium-browser
 MimeType=application/x-extension-htm;application/x-extension-html;application/x-extension-shtml;application/x-extension-xht;application/x-extension-xhtml;application/xhtml+xml;text/html;x-scheme-handler/chrome;x-scheme-handler/ftp;x-scheme-handler/http;x-scheme-handler/https;
 Categories=GTK;Network;WebBrowser;X-MandrivaLinux-Internet-WebBrowsers;X-MandrivaLinux-CrossDesktop;
 Actions=new-window;new-private-window;
 [Desktop Action new-window]
 Name=New Window
 Name[ru]=Новое окно
 Exec=chromium-gost --new-window
 [Desktop Action new-private-window]
 Name=New Incognito Window
 Name[ru]=Новое окно в режиме инкогнито
 Exec=chromium-gost --incognito