Build a separate (lib)curl-libressl with GOST support

curl-libressl.patch

@@ -0,0 +1,30 @@
+This script finds system OpenSSL despite I want it to use LibreSSL from /opt/libressl
+Do not find it automatically -- we have set $LIBS and $PREFIX_OPENSSL
+// mikhailnov, 25.12.2019
+
+--- curl-7.67.0/configure.ac.orig	2019-12-25 21:48:24.085383749 +0300
++++ curl-7.67.0/configure.ac	2019-12-25 21:57:06.765662329 +0300
+@@ -1642,9 +1642,8 @@
+     dnl no --with-ssl option given, just check default places
+     if test x$cross_compiling != xyes; then
+       dnl only do pkg-config magic when not cross-compiling
+-      PKGTEST="yes"
++      PKGTEST="no"
+     fi
+-    PREFIX_OPENSSL=
+     ;;
+   *)
+     dnl check the given --with-ssl spot
+--- curl-7.67.0/libcurl.pc.in.orig	2019-12-25 23:03:57.116216398 +0300
++++ curl-7.67.0/libcurl.pc.in	2019-12-25 23:04:40.710951374 +0300
+@@ -34,6 +34,7 @@
+ URL: https://curl.haxx.se/
+ Description: Library to transfer files with ftp, http, etc.
+ Version: @CURLVERSION@
+-Libs: -L${libdir} -lcurl
+-Libs.private: @LIBCURL_LIBS@
+-Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@
++Libs: -L${libdir} -lcurl @LIBRESSL_LIBS@
++Libs.private: @LIBCURL_LIBS@ @LIBRESSL_LIBS_PRIVATE@
++Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@ @LIBRESSL_CFLAGS@
++Requires.private: libressl

curl.spec

@@ -1,13 +1,31 @@
 %define major 4
 %define libname %mklibname %{name} %{major}
+%define libname_libressl %mklibname %{name}_libressl %{major}
 %define devname %mklibname %{name} -d
+%define devname_libressl %mklibname %{name}_libressl -d
 
 %define ssh2 0
 
+# Using libressl allows to support GOST TLS without pain
+# test: curl https://www.cryptopro.ru:4444/test/tls-cli.asp
+# Building a separate curl with libressl
+%bcond_without libressl
+
+%if %{with libressl}
+%define ssl_list openssl libressl
+%else
+%define ssl_list openssl
+%endif
+%define shell_begin %{expand:for SSL in %%{ssl_list} ; \
+	do \
+	mkdir -p "$SSL" ;\
+	pushd "$SSL"}
+%define shell_end popd; done
+
 Summary:	Gets a file from a FTP, GOPHER or HTTP server
 Name:		curl
 Version:	7.67.0
-Release:	1
+Release:	4
 Epoch:		1
 License:	BSD-like
 Group:		Networking/Other
@@ -16,6 +34,7 @@ Source0:	https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 Source1:	https://curl.haxx.se/download/%{name}-%{version}.tar.xz.asc
 Patch0:		%{name}-7.59.0-multilib.patch
 Patch2:		%{name}-7.59.0-debug.patch
+Patch3:		%{name}-libressl.patch
 BuildRequires:	groff
 BuildRequires:	stunnel
 BuildRequires:	openldap-devel
@@ -28,6 +47,9 @@ BuildRequires:	pkgconfig(libssh2)
 %else
 BuildRequires:	pkgconfig(libssh)
 %endif
+%if %{with libressl}
+BuildRequires:	pkgconfig(libressl)
+%endif
 BuildRequires:	pkgconfig(openssl)
 BuildRequires:	pkgconfig(zlib)
 # TODO: Package and enable libpsl support
@@ -47,12 +69,31 @@ This version is compiled with SSL (https) support.
 %{_bindir}/%{name}
 %{_mandir}/man1/%{name}.1*
 
+#----------------------------------------------------------------------------
+%if %{with libressl}
+%package -n curl-libressl
+Summary:	Gets a file from a FTP, GOPHER or HTTP server
+Group:		Networking/Other
+Provides:	curl-gost = %{EVRD}
+
+%description -n curl-libressl
+curl is a client to get documents/files from servers, using any of the
+supported protocols. The command is designed to work without user interaction
+or any kind of interactivity.
+It offers a busload of useful tricks like proxy support, user authentication,
+ftp upload, HTTP post, file transfer resume and more.
+This version is compiled with LibreSSL and is capable of GOST TLS.
+
+%files -n curl-libressl
+%{_bindir}/curl-libressl
+%{_bindir}/curl-gost
+%endif
 #----------------------------------------------------------------------------
 
 %package -n %{libname}
 Summary:	A library of functions for file transfer
 Group:		Networking/Other
-Requires:	rootcerts >= 1:20070713.00
+Requires:	rootcerts
 
 %description -n %{libname}
 libcurl is a library of functions for sending and receiving files through
@@ -64,6 +105,24 @@ use libcurl.
 %doc COPYING
 %{_libdir}/libcurl.so.%{major}*
 
+#----------------------------------------------------------------------------
+%if %{with libressl}
+%package -n %{libname_libressl}
+Summary:	A library of functions for file transfer
+Group:		Networking/Other
+Requires:	rootcerts
+
+%description -n %{libname_libressl}
+libcurl is a library of functions for sending and receiving files through
+various protocols, including http and ftp.
+You should install this package if you plan to use any applications that
+use libcurl.
+libcurl-libressl is linked with LibreSSL and is capable of GOST TLS.
+
+%files -n %{libname_libressl}
+%doc COPYING
+%{_libdir}/libcurl-libressl.so.%{major}*
+%endif
 #----------------------------------------------------------------------------
 
 %package -n %{devname}
@@ -86,11 +145,32 @@ use libcurl.
 %{multiarch_bindir}/%{name}-config
 %{_libdir}/libcurl.so
 %{_includedir}/%{name}
-%{_libdir}/pkgconfig/*.pc
+%exclude %{_includedir}/curl-libressl
+%{_libdir}/pkgconfig/libcurl.pc
 %{_datadir}/aclocal/*.m4
 %{_mandir}/man1/%{name}-config.1*
 %{_mandir}/man3/*
 
+#----------------------------------------------------------------------------
+%if %{with libressl}
+%package -n %{devname_libressl}
+Summary:	Header files and devel libraries for libcurl with LibreSSL
+Group:		Development/C
+Requires:	%{libname_libressl} = %{EVRD}
+Provides:	%{name}-libressl-devel = %{EVRD}
+Provides:	%{name}-gost-devel = %{EVRD}
+
+%description -n %{devname_libressl}
+libcurl is a library of functions for sending and receiving files through
+various protocols, including http and ftp.
+You should install this package if you wish to develop applications that
+use libcurl linked with LibreSSL and capable of GOST.
+
+%files -n %{devname_libressl}
+%{_includedir}/curl-libressl
+%{_libdir}/pkgconfig/libcurl-libressl.pc
+%{_libdir}/libcurl-libressl.so
+%endif
 #----------------------------------------------------------------------------
 
 %package examples
@@ -110,9 +190,49 @@ Example files for %{name} development.
 %prep
 %setup -q
 %apply_patches
+regexp="$(echo %{ssl_list} | sed -e 's, ,|,g')"
+for i in %{ssl_list}; do
+	mkdir -p "$i"
+	cp -r $(ls -1v | grep -vE "$regexp") "$i"/
+done
+rm -fr $(ls -1v | grep -vE "${regexp}|docs|COPYING|CHANGES")
 
 %build
+%setup_compile_flags
+%shell_begin
+
+ADD_CONF_OPTS=""
+case "$SSL" in
+ libressl )
+	new_libname=libcurl-libressl
+	sed -i configure.ac \
+		-e 's,openssl.pc,libressl.pc,g' \
+		-e 's,PKGCONFIG(openssl,PKGCONFIG(libressl,g' \
+		-e 's,$PREFIX_OPENSSL/lib$libsuff,$PREFIX_OPENSSL/lib,g'
+	# $LIBS apply to libcurl.so only, so there will not be overlinking
+	# even if to add -lxxx here
+	export LIBS="$(pkg-config --cflags-only-I --libs-only-L libressl)"
+	export CFLAGS="$LIBS"
+	export PREFIX_OPENSSL=/opt/libressl
+	# It will be /usr/include/curl-libressl/curl
+	# to allow '#include <curl/xxx.h> to work with -I/usr/include/curl-libressl
+	# TLS-SRP: https://wiki.freebsd.org/LibreSSL
+	ADD_CONF_OPTS="\
+		--includedir=%{_includedir}/curl-libressl \
+		--disable-tls-srp \
+		--with-ssl=off \
+	"
+	;;
+ openssl )
+	new_libname=libcurl
+	%patch3 -p1 -R
+	;;
+esac
+
 autoreconf -fiv
+sed -i configure \
+	-e "s,\$libname,${new_libname},g" \
+	-e "s,\${libname},${new_libname},g"
 
 %configure2_5x \
 	--disable-static \
@@ -138,27 +258,47 @@ autoreconf -fiv
 	--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
 	--with-gssapi=%{_prefix} \
 	--enable-ares \
-	--without-libpsl
+	--without-libpsl \
+	$ADD_CONF_OPTS --
 
 %make
 
 # we don't want them in curl-examples:
 rm -r docs/examples/.deps ||:
 
-# disable tests that want to connect/run sshd, which is quite impossible
+%shell_end
-#%%check
-# Some tests fail at random inside ABF (timeouts?), but work in local builds.
-# Let's make a test failure non-fatal for the moment.
-#make test TEST_Q='-a -p -v !SCP !SFTP !SOCKS4 !SOCKS5 !TFTP !198' || :
-
 
 %install
+%shell_begin
+case "$SSL" in
+	openssl )
 		%makeinstall_std
+	;;
+	libressl )
+		tmp="$(mktemp -d -p $(pwd))"
+		mkdir -p "$tmp"
+		make DESTDIR="${tmp}" install
+		mv -v ${tmp}%{_bindir}/curl %{buildroot}%{_bindir}/curl-libressl
+		mv -v ${tmp}%{_libdir}/libcurl-libressl* %{buildroot}%{_libdir}
+		mv -v ${tmp}%{_includedir}/curl-libressl %{buildroot}%{_includedir}/
+		cat %{buildroot}%{_libdir}/pkgconfig/libcurl.pc | \
+			sed -r \
+				-e 's,^Name:.+,Name: libcurl-libressl,g' \
+				-e 's,-lcurl,-lcurl-libressl,g' \
+				-e "s,@LIBRESSL_LIBS@,$(pkg-config --libs-only-L libressl),g" \
+				-e "s,@LIBRESSL_LIBS_PRIVATE@,,g" \
+				-e "s,@LIBRESSL_CFLAGS@,$(pkg-config --cflags-only-I libressl),g" \
+			> %{buildroot}%{_libdir}/pkgconfig/libcurl-libressl.pc
+		#rm -fr "$tmp"
+	;;
+	* ) echo 'Unknown $SSL' && exit 1 ;;
+esac
 
 # [july 2008] HACK. to be replaced by a real fix
 sed -i -e 's!-Wl,--as-needed!!' -e 's!-Wl,--no-undefined!!' %{buildroot}%{_bindir}/%{name}-config
 sed -i -e 's!-Wl,--as-needed!!' -e 's!-Wl,--no-undefined!!' %{buildroot}%{_libdir}/pkgconfig/*.pc
 
+# TODO: maybe make curl-libressl-config?
 %multiarch_binaries %{buildroot}%{_bindir}/%{name}-config
 
 # (tpg) use rootcerts's certificates #35917
@@ -166,3 +306,26 @@ find %{buildroot} -name ca-bundle.crt -exec rm -f '{}' \;
 
 # we don't package mk-ca-bundle so we don't need man for it
 rm -f %{buildroot}%{_mandir}/man1/mk-ca-bundle.1*
+
+%shell_end
+
+%if %{with libressl}
+( cd %{buildroot}%{_bindir} ; ln -s curl-libressl curl-gost )
+%endif
+
+%check
+export LD_LIBRARY_PATH=%{buildroot}%{_libdir}
+%if %{with libressl}
+readelf -a %{buildroot}%{_bindir}/curl-libressl | grep NEEDED | grep -q libcurl-libressl
+readelf -a %{buildroot}%{_libdir}/libcurl-libressl.so | grep SONAME | grep -q libcurl-libressl
+! readelf -a %{buildroot}%{_libdir}/libcurl.so | grep SONAME | grep -q libcurl-libressl
+# This test will not fail if there is no connection with internet
+# --insecure to ignore missing SSL certificate
+if %{buildroot}%{_bindir}/curl-libressl --insecure \
+	"https://www.cryptopro.ru:4444/test/tls-cli.asp" 2>&1 | \
+	grep -q ':unsupported algorithm$' ;
+then
+	echo "GOST is not supported"
+	exit 1
+fi
+%endif