# Initial purpose of packaging LibreSSL was the need to have a handy # tool to work with GOST keys easily (LibreSSL has GOSTs out of the box). # netcat-openbsd is now also packaged here. # LibreSSL is a fork of OpenSSL and has same libraries, binaries # and fucntions names, that is why it cannot coexist with OpenSSL # easily and is packages to a separate prefix here. # Remember some directories before changing %%_prefix, o - original %define _oprefix /usr %define _obindir %{_oprefix}/bin %define _omandir %{_oprefix}/share/man %define _olibdir %{_oprefix}/%{_lib} # We need to override macros set in platform %define _prefix /opt/libressl %define _bindir %{_prefix}/bin %define _includedir %{_prefix}/include %define _libdir %{_prefix}/lib %define _libexecdir %{_prefix}/libexec %define _datadir %{_prefix}/share %define _mandir %{_datadir}/man # Keep package docs in normal locations %define _defaultdocdir %{_oprefix}/share/doc # RPM 4 by default looks for *.pc in %%_libdir which is redefined %global __pkgconfig_path ^(%{_olibdir}/pkgconfig/.*\\.pc|%{_obindir}/pkg-config)$ # Make RPM mark files in both %%_mandir and %%_omandir as docs (RPM4-only) %global __docdir_path %{__docdir_path}:%{_omandir} # Disable /usr/share/spec-helper/relink_symlinks # to make sure that symlinks are not broken %define dont_relink 1 # Manually control RPATHs %define dont_remove_rpath 1 # If man pages compression is not set up, skip it %{?!_compress:%define _compress /bin/true} %{?!_extension:%define _extension .xz} # Ideas behind this package are the following: # - libressl-devel must provide pkgconfig(libressl*) # - libressl-devel must not provide pkgconfig(openssl), # pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl) # to prevent conflicts with OpenSSL # - packages netcat-openbsd, ocspcheck, libressl are intended to # comply with FHS, so libtls.so.*, libcrypto.so.* and libssl.so.* # are packaged into separate packages, RPATHs are removed and # /usr/bin/* must depend from separate libs packages and will # use /usr/lib(64)/lib*.so.* # - there are no per-library devel packages, only one libressl-devel # with symlinks /opt/libressl/lib/*.so -> /usr/lib(64)/*.so.* # - not FHS-compilant /opt is used only for devel package to allow # coinstallability with OpenSSL devel packages # // mikhailnov, 03.12.2019 # We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not # get odd provides and break the repository if forgot to rename something. # Filter out provides like 'devel(libcrypto(64bit))' (they are in OpenSSL). %global __provides_exclude \ '.*openssl.*|pkgconfig\\(lib(tls|crypto|ssl)\\)|devel\\(lib(tls|crypto|ssl).*\\).*' %define libcrypto_sover 52 %define libssl_sover 55 %define libtls_sover 28 %define libssl_pkg %mklibname ssl_libressl %{libssl_sover} %define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover} %define libtls_pkg %mklibname tls_libressl %{libtls_sover} # parent commit of https://github.com/libressl-portable/openbsd/commit/a177033 # from which v3.8.3 is tagged %define commit_openbsd 17c60e5b8955deb5786d3f1577b5532478186585 # https://github.com/libressl-portable/portable is tagged correctly, # but lets also build from commit for consistency %define commit_portable 624f5579fa54a6b6df982d2481f43b8d0ca8729e %define _default_patch_fuzz 3 %define config_update %{nil} # TODO: fix it, introduced by patches from gost-new %define _disable_ld_no_undefined 1 %define __cc /opt/llvm17/bin/clang Summary: LibreSSL utils and libs coexisting with OpenSSL Name: libressl Version: 3.8.4 Release: 2 # The code is distributed under ISC license except of original OpenSSL code License: ISC and BSD-like Group: System/Base URL: https://libressl.org #Source0: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz Source0: https://github.com/libressl-portable/portable/archive/%{commit_portable}.tar.gz?/libressl-portable-%{commit_portable}.tar.gz Source1: https://github.com/libressl-portable/openbsd/archive/%{commit_openbsd}.tar.gz?/libressl-openbsd-%{commit_openbsd}.tar.gz Source10: libressl.rpmlintrc # Patches for openbsd tree are also commited here: # https://github.com/mikhailnov/libressl-openbsd/commits/rosa-v3.2.0 # ROSA patch, TODO: add printing config location to `openssl version` Patch0001: 0001-Allow-custom-config-location.patch # Support of GOST 2015 and other fixes by lumag@, sponsored by ROSA Linux # Поддержка TLS 1.2 CNT-IMIT и CTR-OMAC в соответствии с Р 1323565.1.020-2018 и # draft-smyshlyaev-tls12-gost-suites. # - Блочные шифры Магма, Кузнечик по ГОСТ Р 34.12-2015. # - Режимы блочных шифров по ГОСТ Р 34.13-2015 # - Режим CTR-ACPKM по Р 1323565.1.017-2018 # - Режим MGM по Р 13235651.026-2019 # - Формат ключей по Р 1323565.1.023-2018 # - Параметры эллиптических кривых по Р 1323565.1.024-2019 # - Поддержка файлов CMS и PKCS7 по RFC 4490 (в режиме KeyTransport) # - Поддержка файлов CMS и PKCS7 по Р 1323565.1.025-2019 (кроме режима KEK) # - Поддержка файлов PKCS#8/PKCS#12 по Р 50.1.112-2016. # - Поддержка криптонаборов TLS 1.2 по Р 1323565.1.020-2018 # Для поддержки криптонаборов TLS 1.3 с точки зрения ГОСТ все готово, # поддержка TLS 1.3 в самом LibreSSL пока находится в процессе разработки. # In process of upstreamization which is going not easily... # git clone https://github.com/GostCrypt/libressl-openbsd.git -b gost-new # cd libressl-openbsd # git format-patch -64 --start-number=101 # ( for i in 01*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $1}'): $i ; done ) | sort -h # cherry-picked from upstream after v3.2.0 and gost-new Patch0002: 0002-Remove-expired-certificate-ok-tb.patch Patch0003: 0003-Properly-document-PKCS7_final-3-which-was-already-me.patch Patch0004: 0004-distracting-whitespace.patch Patch0005: 0005-new-manual-page-PKCS7_add_attribute-3.patch Patch0006: 0006-mention-that-TLS_method-3-also-supports-TLSv1.3.patch Patch0007: 0007-minor-polishing.patch Patch0008: 0008-Apply-some-style-9.patch Patch0009: 0009-Add-support-for-additional-GOST-curves.patch Patch0010: 0010-Add-a-few-more-errors-to-help-debugging.patch Patch0011: 0011-Add-OIDs-for-HMAC-using-Streebog-GOST-R-34.11-2012-h.patch Patch0012: 0012-Allow-GOST-R-34.11-2012-in-PBE-PBKDF2-PKCS-5.patch Patch0013: 0013-Enable-GOST_SIG_FORMAT_RS_LE-when-verifying-certific.patch Patch0014: 0014-Handle-GOST-in-ssl_cert_dup.patch Patch0015: 0015-Stop-sending-GOST-R-34.10-94-as-a-CertificateType.patch Patch0016: 0016-Use-IANA-allocated-GOST-ClientCertificateTypes.patch Patch0017: 0017-Add-a-custom-copy-handler-for-AES-key-wrap.patch Patch0018: 0018-document-PKCS7_get_signer_info-3.patch Patch0019: 0019-wording-tweaks-from-ross-l-richardson-and-tb.patch Patch0020: 0020-document-PEM_ASN1_read-3-and-PEM_ASN1_read_bio-3.patch Patch0021: 0021-add-a-comment-saying-that-name_cmp-is-intentionally-.patch Patch0022: 0022-add-my-Copyright-and-license-which-i-forgot-when-add.patch Patch0023: 0023-Document-PEM_def_callback-3.patch Patch0024: 0024-Document-EVP_read_pw_string_min-3.patch Patch0025: 0025-gost-populate-params-tables-with-new-curves.patch Patch0026: 0026-gost-use-ECerror-to-report-EC-errors.patch Patch0027: 0027-gost-support-new-PublicKeyParameters-format.patch Patch0028: 0028-gostr341001-support-unwrapped-private-keys-support.patch Patch0029: 0029-pkcs12-add-support-for-GOST-PFX-files.patch Patch0030: 0030-modes-add-functions-implementing-common-code-for-64-.patch Patch0031: 0031-gost-drop-key_len-from-Gost28147_set_key.patch Patch0032: 0032-gost-use-key_meshing-for-specifying-section-size.patch Patch0033: 0033-gost-add-support-for-magma-cipher.patch Patch0034: 0034-gost-add-support-for-kuznyechik-cipher.patch Patch0035: 0035-kuznyechik-fix-IV-handling-for-CTR-mode.patch Patch0036: 0036-magma-fix-IV-handling-for-CTR-mode.patch Patch0037: 0037-gost-add-support-for-ACPKM-rekeying.patch Patch0038: 0038-gost-add-support-for-GOST-34.12-Magma-Kuznyechik-enc.patch Patch0039: 0039-gost-add-support-for-magma-ctr-acpkm-mode.patch Patch0040: 0040-gost-add-support-for-kuznyechik-ctr-acpkm-mode.patch Patch0041: 0041-kdftree-add-functions-implementing-KDF_TREE-function.patch Patch0042: 0042-gost-add-support-for-new-GOST-key-transport-data-for.patch Patch0043: 0043-modes-add-support-for-128-bit-MGM-mode.patch Patch0044: 0044-modes-add-support-for-64-bit-MGM-mode.patch Patch0045: 0045-gost-add-kuznyechik-mgm-support.patch Patch0046: 0046-gost-add-magma-mgm-support.patch Patch0047: 0047-regress-evp-add-simple-test-for-AEAD-ciphers.patch Patch0048: 0048-evp-add-EVP_CIPHER-interface-for-kuznyechik-mgm.patch Patch0049: 0049-evp-add-EVP_CIPHER-interface-for-magma-mgm.patch Patch0050: 0050-evp-add-support-for-Kuznyechik-ctr-acpkm-omac-cipher.patch Patch0051: 0051-evp-add-support-for-Magma-ctr-acpkm-omac-cipher.patch Patch0052: 0052-gost-restore-CMS-support.patch Patch0053: 0053-gost-add-support-for-CMS-and-SMIME-enveloped-files.patch Patch0054: 0054-cms-add-support-for-using-AEAD-ciphers-in-CMS-files.patch Patch0055: 0055-cms-populate-SMIMECaps-with-new-GOST-algorithms.patch Patch0056: 0056-cms-allow-keys-support-different-RI-types.patch Patch0057: 0057-evp-support-kuznyechik-kexp15-keywrap-algorithm.patch Patch0058: 0058-evp-support-magma-kexp15-keywrap-algorithm.patch Patch0059: 0059-gost-support-specifying-old-or-new-KEG-derivation-fo.patch Patch0060: 0060-cms-add-support-for-setting-KeyAgreement-UKM.patch Patch0061: 0061-cms-select-proper-cipher-for-GOST-KeyAgreeement.patch Patch0062: 0062-cms-specify-originator-key-for-KeyAgreement-decoding.patch Patch0063: 0063-cms-support-specifying-originator-certificate-and-ke.patch Patch0064: 0064-gost-add-support-for-decoding-KeyAgreement-CMS-files.patch Patch0065: 0065-cms-autoguess-preferred-RecipientInfo-type.patch Patch0066: 0066-Fix-S-Box-used-for-CipherKeyExchange-message-in-GOST.patch Patch0067: 0067-gost-pmeth-check-that-result-of-data-encryption-woul.patch Patch0068: 0068-ssl_sigalgs-select-proper-default-algorithm-for-GOST.patch Patch0069: 0069-ssl-add-support-for-IANA-allocated-GOST-sigalgs-valu.patch Patch0070: 0070-ssl-provide-interoperability-with-CryptoPro-CSP.patch Patch0071: 0071-ssl-do-not-send-GOST-94-certificate-type.patch Patch0072: 0072-ssl-add-support-for-new-GOST-CNT-IMIT-ciphersuite-va.patch Patch0073: 0073-evp-add-EVP_PKEY_new_CMAC_key-function.patch Patch0074: 0074-evp-fix-sign-verify-for-EVP_PKEY_CMAC-keys.patch Patch0075: 0075-evp-fix-EVP_MD_CTX_copy_ex-for-CMAC-contexts.patch Patch0076: 0076-objects-add-id-for-gost-kdf-key-exchange-for-CTR-OMA.patch Patch0077: 0077-ssl-add-defines-for-GOST-CTR-OMAC-ciphersuites.patch Patch0078: 0078-ssl-add-support-for-GOST-KDF-key-exchange.patch Patch0079: 0079-ssl-support-selecting-CMAC-for-CTR-OMAC-ciphersuites.patch Patch0080: 0080-ssl-select-ACPKM-session-size-for-CTR-OMAC-ciphersui.patch Patch0081: 0081-ssl-fix-Finished-message-length-for-CTR-OMAC-ciphers.patch Patch0082: 0082-ssl-fix-CMAC-support.patch Patch0083: 0083-ssl-merge-read-and-write-sequence-secrets-into-commo.patch Patch0084: 0084-ssl-drop-mac_flags-field.patch Patch0085: 0085-ssl-support-IV-increments-for-GOST-CTR-OMAC-ciphersu.patch Patch0086: 0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch Patch0087: 0087-ssl-add-support-for-TLSTREE-rekeying.patch # https://www.opennet.ru/opennews/art.shtml?num=54233 # https://github.com/libressl-portable/openbsd/commit/f22d7684aed13a9ae9ea6554b7a3e52fdfa4f193 # From LibreSSL 3.2.3 Patch0088: 0088-CVE-2020-1971.patch # https://www.opennet.ru/opennews/art.shtml?num=55683 # https://github.com/libressl-portable/openbsd/commit/89d74f9b9c8c0b042e81aecb6c286253a51659d8 # From LibreSSL 3.2.6 Patch0089: 0089-CVE-2021-3712.patch # TODO: # https://www.opennet.ru/opennews/art.shtml?num=54774 # https://github.com/libressl-portable/openbsd/commit/5f00b800749f246861e892a17d9012bd25fc06ba (LibreSSL 3.2.5) # Code is different in our version, investigation if backport is required is required. # Patches for portable, from lumag@ # ( for i in *PORTABLE*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $2}'): $i ; done ) | sed -e 's,^Patch0,Patch2,g' | sort -h # These patches for portable tree extend patches above for openbsd tree # and have the same numbers Patch2030: PORTABLE-0030-modes-add-functions-implementing-common-code-for-64-.patch Patch2033: PORTABLE-0033-gost-add-support-for-magma-cipher.patch Patch2034: PORTABLE-0034-gost-add-support-for-kuznyechik-cipher.patch Patch2041: PORTABLE-0041-kdftree-add-functions-implementing-KDF_TREE-function.patch Patch2042: PORTABLE-0042-gost-add-support-for-new-GOST-key-transport-data-for.patch Patch2043: PORTABLE-0043-modes-add-support-for-128-bit-MGM-mode.patch Patch2044: PORTABLE-0044-modes-add-support-for-64-bit-MGM-mode.patch Patch2086: PORTABLE-0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch Patch2100: PORTABLE-0100-fixup-build.patch # If both openssl and libressl libraries are loaded into one runtime, # versioning their symbols will or may allow them to coexist Patch2200: PORTABLE-2200-SUSE-extra-symver.patch # From https://www.mitchr.me/SS/exampleCode/openssl.html Source20: test.c Source22: test2.c # From import/openssl, originates from Fedora Source25: test5.c # From Linux kernel 5.3.15, scripts/sign-file.c Source29: test9.c # To get %%_openssldir and for %%check BuildRequires: openssl-devel BuildRequires: openssl BuildRequires: pkgconfig(zlib) #BuildRequires(check) BuildRequires: gostsum # readelf <...> | <...> BuildRequires: binutils grep gawk BuildRequires: chrpath Buildrequires: llvm17 # This LibreSSL uses /etc/pki/tls from system OpenSSL # but most functions will work without its files Recommends: openssl %description LibreSSL utils and libs coexisting with OpenSSL. GOST is supported out of the box. %files %doc ChangeLog COPYING # %%_bindir here is /opt/libressl/bin # %%_obindir is /usr/bin # %%_mandir is /opt/libressl/share/man # %%_omandir is /usr/share/man %{_obindir}/libressl %config(noreplace) %{_openssldir}/libressl.cnf %config(noreplace) %{_openssldir}/x509v3.cnf %{_omandir}/*/* %exclude %{_omandir}/man3/* %exclude %{_omandir}/*/nc.* %exclude %{_omandir}/*/netcat.* %exclude %{_omandir}/*/ocspcheck.* #------------------------------------------------------------------------------------- %package -n %{libcrypto_pkg} Summary: libcrypto library from LibreSSL Group: System/Libraries %description -n %{libcrypto_pkg} libcrypto library from LibreSSL %files -n %{libcrypto_pkg} %{_olibdir}/libcrypto.so.%{libcrypto_sover}* #------------------------------------------------------------------------------------- %package -n %{libssl_pkg} Summary: libssl library from LibreSSL Group: System/Libraries %description -n %{libssl_pkg} libssl library from LibreSSL %files -n %{libssl_pkg} %{_olibdir}/libssl.so.%{libssl_sover}* #------------------------------------------------------------------------------------- %package -n %{libtls_pkg} Summary: libtls library from LibreSSL Group: System/Libraries %description -n %{libtls_pkg} libtls library from LibreSSL %files -n %{libtls_pkg} %{_olibdir}/libtls.so.%{libtls_sover}* #------------------------------------------------------------------------------------- %package devel Summary: LibreSSL devel package Group: Development/C Requires: %{name} = %{EVRD} # symlinks /opt/libressl/lib/*.so.* -> /usr/lib(64)/*.so.* Requires: %{libcrypto_pkg} = %{EVRD} Requires: %{libtls_pkg} = %{EVRD} Requires: %{libssl_pkg} = %{EVRD} # Add provides to pull this package by common devel names Provides: %{mklibname crypto_libressl -d} = %{EVRD} Provides: %{mklibname tls_libressl -d} = %{EVRD} Provides: %{mklibname ssl_libressl -d} = %{EVRD} # Automatic provides like 'devel(libcrypto(64bit))' are blocked by # filters to prevent conflicts with OpenSSL # devel(libfoo) are RPM_VENDOR_MANDRIVA-specific in RPM 5 # TODO: probably no real need in emulating devel(libfoo) %if 0%{?mdvver} %if "%{?_lib}" == "lib64" %define b64 (64bit) %else %define b64 %{nil} %endif Provides: devel(libressl-libtls%{b64}) Provides: devel(libressl-libcrypto%{b64}) Provides: devel(libressl-libssl%{b64}) %endif %description devel LibreSSL devel package. Devel libraries are in %{_libdir}, runtime librararies are in %{_olibdir}, pkg-config sets -I%{_libdir} in CFLAGS. %files devel %doc ChangeLog COPYING %{_libdir}/*.so # symlinks to %%{_olibdir}/*.so.*, only for devel package %{_libdir}/*.so.* %{_olibdir}/pkgconfig/*.pc %{_includedir} %{_mandir}/*/* %{_omandir}/man3/* %{_rpmmacrodir}/*libressl* #------------------------------------------------------------------------------------- %package -n ocspcheck Summary: Utility to validate certificates Group: System/Base %description -n ocspcheck Utility to validate a certificate against its OCSP responder and save the reply for stapling %files -n ocspcheck %doc ChangeLog COPYING %{_obindir}/ocspcheck %{_omandir}/man*/ocspcheck.* #------------------------------------------------------------------------------------- %package -n netcat-openbsd Summary: Reads and writes data across network connections using TCP or UDP Group: System/Base Conflicts: netcat < 1.0 Conflicts: netcat-traditional Conflicts: netcat-gnu # netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced #Obsoletes: netcat-openbsd < 1.89.1 Provides: netcat-tls = %{EVRD} Provides: netcat-libressl = %{EVRD} Provides: nc = %{EVRD} # Provide "netcat" to satisfy deps of packages which require _any_ # implementation of netcat. # But make this netcat the default one, so, # while other packages provide "netcat = 1.0", # provide a higher version here to make this package # the default candidate to be installed as "netcat". %if %{mdvver} > 201610 Provides: netcat = %{EVRD} # other netcats were removed due to their upstreams being dead Obsoletes: netcat-gnu < 0.7.2 Obsoletes: netcat-traditional < 111 %else # keep old default in rosa2016.1 Provides: netcat = 1.0 %endif %description -n netcat-openbsd The nc package contains Netcat (the program is actually nc), a simple utility for reading and writing data across network connections, using the TCP or UDP protocols. Netcat is intended to be a reliable back-end tool which can be used directly or easily driven by other programs and scripts. Netcat is also a feature-rich network debugging and exploration tool, since it can create many different connections and has many built-in capabilities. You may want to install the netcat package if you are administering a network and you'd like to use its debugging and network exploration capabilities. %files -n netcat-openbsd %doc ChangeLog COPYING %{_obindir}/nc %{_obindir}/netcat %{_omandir}/man*/nc.* %{_omandir}/man*/netcat.* #------------------------------------------------------------------------------------- %prep %setup -q -n portable-%{commit_portable} -a1 # Emulating creation of release tarball... mv openbsd-%{commit_openbsd} openbsd #( cd openbsd # First apply patches and then run a script which will copy files etc. #for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep -v '/PORTABLE\-' | sort -h); do # echo "Applying openbsd patch $i" # patch -p1 < "$i" #done #) export CC=/opt/llvm17/bin/clang sed -i -e 's,git ,true ,g' update.sh sed -i -e 's,./update.sh,sh -x ./update.sh,g' autogen.sh sh -x ./autogen.sh | tee autogen0.log # Protection against incorrect updates, e.g. by updates_tracker #grep -q "^LibreSSL version %{version}$" autogen0.log rm -f autogen0.log # Now apply patches on top of portable edition after all files have been generated #for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep '/PORTABLE\-' | sort -h); do # echo "Applying portable patch $i" # patch -p1 < "$i" #done # Rerun after patching sh -x update.sh %build #export CC=/opt/llvm17/bin/clang #setup_compile_flags %serverbuild # Use the same %%_openssl dir with OpenSSL, but separate the config # (note that we patch libressl, X509_CONF_FILE is not upstream) export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'" #autoreconf -if #Source21 # static libs are required for tests target in Makefile cp -fv /usr/share/libtool/config/config.* . %configure \ --enable-nc \ --enable-static \ --enable-asm=no \ --with-openssldir=%{_openssldir} %make_build %install set +f # explicitly enable shell globbing %make_install # Some ideas about mans are from ALT Linux spec install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1 install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1 mkdir -p %{buildroot}%{_mandir}/man8/ install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8 for i in $(seq 1 8) do man_dir="%{buildroot}%{_mandir}/man${i}" if [ ! -d "$man_dir" ]; then continue; fi ( cd "$man_dir" grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || : if find . -name 'libressl_*' | grep -q '.' ; then echo 'Rewrite spec because upstream libressl_* manpages appeared!' exit 1 fi # Make all man pages with potentially the same names as in OpenSSL # be avaialble in standard man directories, but prevent conflicts with OpenSSL for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do openssl_LibreSSL_manpage="libressl_${openssl_manpage}" cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage" done for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')" cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage" done ) done mkdir -p %{buildroot}%{_omandir} cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/ # We have put libressl_ prefixed mans to system man directory, # now delete them from /opt/libressl/share/man to leave # mans with original names in /opt/libressl/share/man # Mans with original names will be included to devel package only rm -fv %{buildroot}%{_mandir}/*/libressl_* rm -fv %{buildroot}%{_omandir}/*/openssl.* ( cd %{buildroot}%{_omandir}/man3 ; rm -fv $(ls -1v | grep -v '^libressl_') ) # Fully delete other mans from /opt rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}* # Manually compress man pages because we use both # /usr/share/man and /opt/libressl/share/man, # /usr/lib/rpm/brp-compress will not compress both of them mkdir tmp ( cd tmp sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \ %{_usrlibrpm}/brp-compress > ./brp-compress.sh chmod +x ./brp-compress.sh COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh ) mkdir -p %{buildroot}%{_obindir} mv -v %{buildroot}%{_bindir}/{nc,ocspcheck,openssl} %{buildroot}%{_obindir}/ mv -v %{buildroot}%{_obindir}/openssl %{buildroot}%{_obindir}/libressl ( cd %{buildroot}%{_obindir} ; ln -s nc netcat ) ( cd %{buildroot}%{_includedir} ; ln -s openssl libressl ) # Remove static libs ( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a ) mkdir -p %{buildroot}/%{_olibdir}/pkgconfig mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig for i in share %{_lib} do pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig" if [ ! -d "$pkgconfig_dir" ]; then continue; fi ( cd "$pkgconfig_dir" for f in *.pc do if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then echo "Name in $f is not prefixed with LibreSSL-" exit 1 fi # Restore ability to work with custom prefix # It is lost due to --exec_prefix=XXX in %%configure sed -i -r \ -e 's,^exec_prefix=.+,exec_prefix=${prefix},' \ -e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \ -e 's,^includedir=.+,includedir=${prefix}/include,' \ "$f" mv -v "$f" "libressl-${f}" # Requires: libxx -> Requires: libressl-libxx sed -i \ -e 's/libcrypto/libressl-libcrypto/g' \ -e 's/libtls/libressl-liblts/g' \ -e 's/libssl/libressl-libssl/g' \ -e 's/libressl-libressl-/libressl-/g' \ "libressl-${f}" if [ -f libressl-openssl.pc ]; then mv -v libressl-openssl.pc libressl.pc fi done ) done mv -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/ ( cd %{buildroot}/%{_libdir}/ for i in %{buildroot}/%{_olibdir}/{libcrypto,libtls,libssl}.so.* do filename="$(basename "$i")" # /opt/libressl/lib # /usr/lib64/ # Relative symlink is required to use *.so in tests... ln -s ../../../"%{_olibdir}/${filename}" "$filename" done ) if [ "$(find %{buildroot}/%{_libdir}/ -iname '*.so.*' -type f | wc -l)" -gt 0 ]; then echo "Some shared libraries were not relocated!" exit 1 fi chrpath --delete %{buildroot}/%{_olibdir}/*.so.* chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck,libressl} # Stuff from system OpenSSL will be used rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem} mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf # Having sovers as macros may be useful to check that binaries are linked against LibreSSL cat << EOF > macros.file %%libressl_version %{version} %%libressl_libcrypto_sover %{libcrypto_sover} %%libressl_libssl_sover %{libssl_sover} %%libressl_libtls_sover %{libtls_sover} %%libressl_prefix /opt/libressl EOF %install_macro libressl macros.file %check _pcf(){ unset oflags nflags oflags="$(eval $@)" nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')" } libressl="%{buildroot}/%{_obindir}/libressl" # These tests caught a lot of mistakes during first builds export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig export LD_LIBRARY_PATH=%{buildroot}/%{_olibdir} # (test 1) Check that openssldir is correct $libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$' # (test 2) Check that path to config file is correct # and also check that pkg-config libressl points to libressl, not openssl _pcf pkg-config --libs --cflags libressl %__cc -o test2 %{SOURCE22} $nflags ldd ./test2 #[ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1 # Check that our pkgconfig hacks somehow work # (test 3) There is no /opt/libressl/ at build time _pcf pkg-config --libs --cflags libressl-libcrypto %__cc -o test3 %{SOURCE20} $nflags ldd ./test3 ldd ./test3 | grep 'libcrypto\.so\.%{libcrypto_sover}' ./test3 | grep Hello # (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly # (build with libcrypto from OpenSSL) _pcf pkg-config --libs --cflags libcrypto %__cc -o test4 %{SOURCE20} $nflags ldd ./test4 ldd ./test4 | grep -v '/libcrypto\.so\.%{libcrypto_sover}' ./test4 | grep Hello # (test 5) Check that flags from all *.pc are valid # libtls is overlinking here, but check linking _pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto %__cc -o test5 %{SOURCE25} $nflags -lpthread -lz -ldl ldd ./test5 ldd ./test5 | grep '/libcrypto\.so\.%{libcrypto_sover}' ldd ./test5 | grep '/libssl\.so\.%{libssl_sover}' ldd ./test5 | grep '/libtls\.so\.%{libtls_sover}' ./test5 --threads 2 # (test 6) Check that gost12sum (from OpenSSL gost-engine) and LibreSSL give the same result # This also simply checks that checksums by GOST do work echo test6 > ./test6 # gost12sum is Streebog-256, gostsum -l is Streebog-512 _gost12sum="$(gost12sum ./test6 | awk '{print $1}')" _libressl="$($libressl dgst -streebog256 ./test6 | awk '{print $NF}')" [ "$_gost12sum" = "$_libressl" ] || exit 1 # (test 7) The same for Streebog-512 echo test7 > ./test7 _gost12sum="$(gost12sum -l ./test7 | awk '{print $1}')" _libressl="$($libressl dgst -streebog512 ./test7 | awk '{print $NF}')" [ "$_gost12sum" = "$_libressl" ] || exit 1 unset _gost12sum _libressl # (test 8) Check that LibreSSL and gostsum use different byte order in GOST R 34.11-94 hashes # https://ru.wikipedia.org/wiki/ГОСТ_Р_34.11-94#Формат_вывода # ...and that their hash tables do not differ # https://github.com/gost-engine/engine/issues/189 # If byte orders change, package maintainers must become aware of this via this test failing # Running the same hashsumming for multiple times checks that results do not randomize echo test8 > ./test8 _gs_beg="$(gostsum ./test8 | awk '{print $1}' | head -c2)" _gs_end="$(gostsum ./test8 | awk '{print $1}' | tail -c3)" #-c3 because of EOL _ls_beg="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | head -c2)" _ls_end="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | tail -c3)" _gs_length="$(gostsum ./test8 | awk '{print $1}' | wc -c)" _ls_length="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | wc -c)" [ "$_gs_beg" = "$_ls_end" ] && \ [ "$_gs_end" = "$_ls_beg" ] && \ [ "$_gs_length" = "$_ls_length" ] || exit 1 unset _gs_beg _gs_end _ls_beg _ls_end _gs_length _ls_length # (test 9) Test ability to sign using program that requires OPENSSL_NO_CMS to de undefined # https://bugzilla.kernel.org/show_bug.cgi?id=202159 # and ability to generate GOST R 34.10-12 keys _pcf pkg-config --libs --cflags libressl-libcrypto %__cc -o test9 %{SOURCE29} $nflags export OPENSSL_CONF=%{buildroot}%{_openssldir}/libressl.cnf $libressl ecparam -genkey -name id-tc26-gost-3410-12-512-paramSetA -out priv.key -outform PEM $libressl req -batch -new -x509 -nodes -key priv.key -out pem1.pem \ -subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root" # Also possible to gen a new key and a certificate in one command: # libressl req <...> -newkey ec -pkeyopt ec_paramgen_curve:id-tc26-gost-3410-12-512-paramSetA # Signature Algorithm: ecdsa-with-SHA256 $libressl x509 -in pem1.pem -text -noout | grep -E 'Signature Algorithm:.*ecdsa-with-SHA256' $libressl req -new -nodes -utf8 -batch -x509 -newkey gost2001 \ -pkeyopt dgst:streebog512 -pkeyopt paramset:A -streebog512 \ -days 109500 \ -subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root" \ -outform PEM -out pem2.pem -keyout pem2.pem $libressl x509 -in pem2.pem -text -noout $libressl x509 -in pem2.pem -text -noout | grep -E 'Signature Algorithm:.*GOST R 34.10-2012' $libressl x509 -in pem2.pem -text -noout | grep -E 'Digest Algorithm:.*GOST R 34-11-2012' $libressl x509 -in pem2.pem -text -noout | grep -E 'Public Key Algorithm:.*GOST R 34.10-2012' echo 123 > test9_file1 echo 123 > test9_file2 # Known to fail with: "CMS routines:func(4095):not supported for this key type" ./test9 streebog512 priv.key pem1.pem test9_file1 || : $libressl dgst -streebog512 -sign pem2.pem test9_file2 > test9_file2.sig ./test9 -s test9_file2.sig streebog512 pem2.pem test9_file2 strings test9_file2 | tail -n 1 | grep -q '~Module signature appended~'