# Initial purpose of packaging LibreSSL was the need to have a handy # tool to work with GOST keys easily (LibreSSL has GOSTs out of the box). # netcat-openbsd is now also packaged here. # LibreSSL is a fork of OpenSSL and has same libraries, binaries # and fucntions names, that is why it cannot coexist with OpenSSL # easily and is packages to a separate prefix here. # Remember some directories before changing %%_prefix, o - original %define _oprefix /usr %define _obindir %{_oprefix}/bin %define _omandir %{_oprefix}/share/man %define _olibdir %{_oprefix}/%{_lib} %define _prefix /opt/libressl # No need to have /opt/libressl/lib64, use /opt/libressl/lib %define _libdir %{_prefix}/lib # Keep package docs in normal locations %define _defaultdocdir %{_oprefix}/share/doc # Disable /usr/share/spec-helper/relink_symlinks # to make sure that symlinks are not broken %define dont_relink 1 # If man pages compression is not set up, skip it %{?!_compress:%define _compress /bin/true} %{?!_extension:%define _extension .xz} # Fallback to the old external dependency generator # http://lists.rosalab.ru/pipermail/rosa-devel/2013-April/004702.html # http://lists.rosalab.ru/pipermail/rosa-devel/2013-April/004703.html # because there is no way to filter by filepath in the internal one # TODO: avoid using external dep. gen. %define _use_internal_dependency_generator 0 # Those libraries in /opt are not available without RPATH or ld.so.conf %define _exclude_files_from_autoprov %{_libdir} # We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not # get odd provides and break the repository if forgot to rename something #define __noautoprov '.*openssl.*|pkgconfig\\(lib.*' %define _provides_exceptions '.*openssl.*|pkgconfig(lib.*' # libressl-devel must not require devel(libxxx) # because it has those devels inside himself %define _requires_exceptions 'devel(lib.*' # Ideas behind this dependency generation crap are the following: # - libressl-devel must provide pkgconfig(libressl*) # - libressl-devel must not provide pkgconfig(openssl), # pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl) # to prevent conflicts with OpenSSL # - libressl must not depend from separate library packages with # libtls.so.*, libcrypto.so.*, libssl.so.*, instead it has # copies of those libraries in /opt/libressl/lib/ and has RPATH # - packages netcat-openbsd and ocspcheck are intended to be # installable without installing libressl package with a lot of # odd stuff; so libtls.so.*, libcrypto.so.* and libssl.so.* are # packaged into separate packages, RPATHs are removed and nc # and ocspcheck must depend from separate libs packages and will # use /usr/lib(64)/lib*.so.* instead of /opt/libressl/lib/*.so.* # - there are no per-library devel packages, only one libressl-devel. # // mikhailnov, 30.11.2019 %define libcrypto_sover 45 %define libssl_sover 47 %define libtls_sover 19 %define libssl_pkg %mklibname ssl_libressl %{libssl_sover} %define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover} %define libtls_pkg %mklibname tls_libressl %{libtls_sover} Summary: LibreSSL utils and libs coexisting with OpenSSL Name: libressl Version: 3.0.2 Release: 1 # The code is distributed under ISC license except of original OpenSSL code License: ISC and BSD-like Group: System/Libraries Url: http://libressl.org Source0: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz # TODO: add printing config location to `openssl version` Source1: 0001-Allow-custom-config-location.patch Source10: libressl.rpmlintrc # If both openssl and libressl libraries are loaded into one runtime, # versioning their symbols will or may allow them to coexist # (patch from ALT Linux) Patch2: SUSE-extra-symver.patch # From https://www.mitchr.me/SS/exampleCode/openssl.html Source20: test.c Source22: test2.c # From import/openssl, originates from Fedora Source25: test5.c # To get %%_openssldir and for %%check BuildRequires: openssl-devel # readelf <...> | <...> BuildRequires: binutils grep gawk BuildRequires: chrpath # This LibreSSL uses /etc/pki/tls from system OpenSSL # but most functions will work without its files Suggests: openssl # Prevent dependencies from lib*_libressl* subpackages for the main package # because it may freely use /opt/libressl/lib/*.so.* # but put "Autoreq: 1" in other subpackages which may be installed without # libressl main package being installed and will use /usr/lib(64)/.*so.* Autoreq: 0 %description LibreSSL utils and libs coexisting with OpenSSL. GOST is supported out of the box. %files %doc ChangeLog COPYING # %%_bindir here is /opt/libressl/bin # %%_obindir is /usr/bin # %%_mandir is /opt/libressl/share/man # %%_omandir is /usr/share/man %{_bindir}/openssl %{_bindir}/libressl %{_obindir}/libressl %{_mandir}/man1/* %{_mandir}/man5/* %{_omandir}/*/* %{_libdir}/*.so.* %config(noreplace) %{_openssldir}/libressl.cnf %config(noreplace) %{_openssldir}/x509v3.cnf %exclude %{_omandir}/man3/* %exclude %{_omandir}/*/nc.* %exclude %{_omandir}/*/netcat.* %exclude %{_omandir}/*/ocspcheck.* %exclude %{_libdir}/*.so #------------------------------------------------------------------------------------- %package -n %{libcrypto_pkg} Summary: libcrypto library from LibreSSL Autoreq: 1 %description -n %{libcrypto_pkg} libcrypto library from LibreSSL %files -n %{libcrypto_pkg} %{_olibdir}/libcrypto.so.%{libcrypto_sover}* #------------------------------------------------------------------------------------- %package -n %{libssl_pkg} Summary: libssl library from LibreSSL Autoreq: 1 %description -n %{libssl_pkg} libssl library from LibreSSL %files -n %{libssl_pkg} %{_olibdir}/libssl.so.%{libssl_sover}* #------------------------------------------------------------------------------------- %package -n %{libtls_pkg} Summary: libtls library from LibreSSL Autoreq: 1 %description -n %{libtls_pkg} libtls library from LibreSSL %files -n %{libtls_pkg} %{_olibdir}/libtls.so.%{libtls_sover}* #------------------------------------------------------------------------------------- %package devel Summary: LibreSSL devel package Requires: %{name} = %{EVRD} Autoreq: 1 %description devel LibreSSL devel package. Devel libraries are in %{_libdir}, but the same runtime libraries exist in %{_libdir} and %{_olibdir}. After linking, binaries will load libs from %{_olibdir}. When using pkg-config, RPATH is set to %{_libdir}, remove RPATH/RUNPATH manually if needed. %files devel %doc ChangeLog COPYING %{_libdir}/*.so %{_olibdir}/pkgconfig/*.pc %{_includedir} %{_mandir}/man3/* %{_omandir}/man3/* #------------------------------------------------------------------------------------- %package -n ocspcheck Summary: Utility to validate certificates Autoreq: 1 %description -n ocspcheck Utility to validate a certificate against its OCSP responder and save the reply for stapling %files -n ocspcheck %doc ChangeLog COPYING %{_obindir}/ocspcheck %{_omandir}/man*/ocspcheck.* #------------------------------------------------------------------------------------- %package -n netcat-openbsd Summary: Reads and writes data across network connections using TCP or UDP Conflicts: netcat < 1.0 Conflicts: netcat-traditional Conflicts: netcat-gnu # netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced #Obsoletes: netcat-openbsd < 1.89.1 Provides: netcat-tls = %{EVRD} Provides: netcat-libressl = %{EVRD} Provides: nc = %{EVRD} Autoreq: 1 %description -n netcat-openbsd The nc package contains Netcat (the program is actually nc), a simple utility for reading and writing data across network connections, using the TCP or UDP protocols. Netcat is intended to be a reliable back-end tool which can be used directly or easily driven by other programs and scripts. Netcat is also a feature-rich network debugging and exploration tool, since it can create many different connections and has many built-in capabilities. You may want to install the netcat package if you are administering a network and you'd like to use its debugging and network exploration capabilities. %files -n netcat-openbsd %doc ChangeLog COPYING %{_obindir}/nc %{_obindir}/netcat %{_omandir}/man*/nc.* %{_omandir}/man*/netcat.* #------------------------------------------------------------------------------------- %prep %setup -q %patch2 -p2 # Patch is against gits https://github.com/libressl-portable/ # Release tarball is packaged in a tricky way cat %{SOURCE1} | sed \ -e 's,src/lib/libcrypto/,crypto/,g' \ -e 's,src/usr.bin/openssl/,apps/openssl/,g' \ > 1.patch patch -p1 < 1.patch %build %setup_compile_flags %serverbuild # Use the same %%_openssl dir with OpenSSL, but separate the config # (note that we patch libressl, X509_CONF_FILE is not upstream) export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'" # TODO: why by default without this runpath is not set on libcrypto.so*, # but is set on libtls.so* and libssl.so*? export LDFLAGS="$LDFLAGS -Wl,-rpath=%{_libdir}" autoreconf -if #patch2 # static libs are required for tests target in Makefile %configure2_5x \ --enable-nc \ --enable-static \ --with-openssldir=%{_openssldir} %make %install set +f # explicitly enable shell globbing %makeinstall_std # Some ideas about mans are from ALT Linux spec install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1 install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1 mkdir -p %{buildroot}%{_mandir}/man8/ install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8 for i in $(seq 1 8) do man_dir="%{buildroot}%{_mandir}/man${i}" if [ ! -d "$man_dir" ]; then continue; fi ( cd "$man_dir" grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || : if find . -name 'libressl_*' | grep -q '.' ; then echo 'Rewrite spec because upstream libressl_* manpages appeared!' exit 1 fi # Make all man pages with potentially the same names as in OpenSSL # be avaialble in standard man directories, but prevent conflicts with OpenSSL for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do openssl_LibreSSL_manpage="libressl_${openssl_manpage}" cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage" done for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')" cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage" done ) done mkdir -p %{buildroot}%{_omandir} cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/ # We have put libressl_ prefixed mans to system man directory, # now delete them from /opt/libressl/share/man to leave # mans with original names in /opt/libressl/share/man rm -fv %{buildroot}%{_mandir}/*/libressl_* rm -fv %{buildroot}%{_omandir}/*/openssl.* # Fully delete other mans from /opt rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}* # Manually compress man pages because we use both # /usr/share/man and /opt/libressl/share/man, # /usr/lib/rpm/brp-compress will not compress both of them mkdir tmp pushd tmp sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \ %{_usrlibrpm}/brp-compress > ./brp-compress.sh chmod +x ./brp-compress.sh COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh popd mkdir -p %{buildroot}%{_obindir} mv -v %{buildroot}%{_bindir}/{nc,ocspcheck} %{buildroot}%{_obindir}/ ( cd %{buildroot}%{_bindir} ; ln -s openssl libressl ) ( cd %{buildroot}%{_obindir} ; ln -s %{_bindir}/openssl libressl ) ( cd %{buildroot}%{_obindir} ; ln -s nc netcat ) ( cd %{buildroot}%{_includedir} ; ln -s openssl libressl ) # Remove static libs ( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a ) # Build scripts set RUNPATH, it is needed because /usr/bin/* are linked with # /opt/libressl/lib/*.so.*, make sure that RUNPATH exists for i in $(find %{buildroot}%{_bindir} %{buildroot}%{_libdir} -type f -executable) ; do rpath="$(readelf -a "$i" | grep '(RUNPATH)' | head -n 1 | awk '{print $NF}' | tr -d '[]')" if [ "$rpath" != '%{_libdir}' ]; then echo "Empty or incorrect RPATH on ${i}!" exit 1 fi done mkdir -p %{buildroot}/%{_olibdir}/pkgconfig mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig for i in share %{_lib} do pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig" if [ ! -d "$pkgconfig_dir" ]; then continue; fi ( cd "$pkgconfig_dir" for f in *.pc do if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then echo "Name in $f is not prefixed with LibreSSL-" exit 1 fi # Restore ability to work with custom prefix # It is lost due to --exec_prefix=XXX in %%configure2_5x sed -i -r \ -e 's,^exec_prefix=.+,exec_prefix=${prefix},' \ -e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \ -e 's,^includedir=.+,includedir=${prefix}/include,' \ "$f" # TODO: is rpath in *.pc really needed? if ! grep '^Libs:' "$f" then echo 'Libs: -Wl,-rpath=${libdir}' >> "$f" else # https://unix.stackexchange.com/a/328656 sed -i -e '/^Libs:/s/$/ -Wl,-rpath=${libdir}/' "$f" grep '^Libs:' "$f" | grep -q rpath || exit 1 fi mv -v "$f" "libressl-${f}" # Requires: libxx -> Requires: libressl-libxx sed -i \ -e 's/libcrypto/libressl-libcrypto/g' \ -e 's/libtls/libressl-liblts/g' \ -e 's/libssl/libressl-libssl/g' \ -e 's/libressl-libressl-/libressl-/g' \ "libressl-${f}" if [ -f libressl-openssl.pc ]; then mv -v libressl-openssl.pc libressl.pc fi done ) done cp -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/ chrpath --delete %{buildroot}/%{_olibdir}/*.so.* chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck} # Stuff from system OpenSSL will be used rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem} mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf %check _pcf(){ unset oflags nflags oflags="$(eval $@)" nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')" } rflags="-Wl,-rpath=%{buildroot}%{_libdir},-rpath=%{buildroot}%{_olibdir}" # These tests caught a lot of mistakes during first builds export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig # (test 1) Check that openssldir is correct export LD_LIBRARY_PATH=%{buildroot}/%{_libdir} %{buildroot}/%{_bindir}/libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$' unset LD_LIBRARY_PATH # (test 2) Check that path to config file is correct # and also check that pkg-config libressl points to libressl, not openssl _pcf pkg-config --libs --cflags libressl %__cc -o test2 %{SOURCE22} $nflags $rflags ldd ./test2 [ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1 # Check that our pkgconfig hacks somehow work # (test 3) There is no /opt/libressl/ at build time _pcf pkg-config --libs --cflags libressl-libcrypto %__cc -o test3 %{SOURCE20} $nflags $rflags ldd ./test3 ldd ./test3 | grep -E '%{_prefix}.*/libcrypto\.so\.%{libcrypto_sover}' ./test3 | grep Hello # (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly # (build with libcrypto from OpenSSL) _pcf pkg-config --libs --cflags libcrypto %__cc -o test4 %{SOURCE20} $nflags $rflags ldd ./test4 ldd ./test4 | grep -v 'libcrypto\.so\.%{libcrypto_sover}' ldd ./test4 | grep -v '%{_prefix}' ./test4 | grep Hello # (test 5) Check that flags from all *.pc are valid # libtls is overlinking here, but check linking _pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto %__сс -o test5 %{SOURCE25} $nflags $rflags -lpthread -lz -ldl ldd ./test5 ldd ./test3 | grep -E '%{_prefix}.*/libcrypto\.so\.%{libcrypto_sover}' ldd ./test3 | grep -E '%{_prefix}.*/libssl\.so\.%{libssl_sover}' ldd ./test3 | grep -E '%{_prefix}.*/libtls\.so\.%{libtls_sover}' ./test5 --threads 2