Djam/libressl
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/libressl.git synced 2025-02-23 16:12:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
libressl/libressl.spec
Alexander Stefanov 370f55c1a3 copy from the right path
2022-03-14 21:27:29 +00:00

681 lines
30 KiB
RPMSpec
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Initial purpose of packaging LibreSSL was the need to have a handy
# tool to work with GOST keys easily (LibreSSL has GOSTs out of the box).
# netcat-openbsd is now also packaged here.
# LibreSSL is a fork of OpenSSL and has same libraries, binaries
# and fucntions names, that is why it cannot coexist with OpenSSL
# easily and is packages to a separate prefix here.
# Remember some directories before changing %%_prefix, o - original
%define _oprefix /usr
%define _obindir %{_oprefix}/bin
%define _omandir %{_oprefix}/share/man
%define _olibdir %{_oprefix}/%{_lib}
# We need to override macros set in platform
%define _prefix /opt/libressl
%define _bindir %{_prefix}/bin
%define _includedir %{_prefix}/include
%define _libdir %{_prefix}/lib
%define _libexecdir %{_prefix}/libexec
%define _datadir %{_prefix}/share
%define _mandir %{_datadir}/man
# Keep package docs in normal locations
%define _defaultdocdir %{_oprefix}/share/doc
# RPM 4 by default looks for *.pc in %%_libdir which is redefined
%global __pkgconfig_path ^(%{_olibdir}/pkgconfig/.*\\.pc|%{_obindir}/pkg-config)$
# Make RPM mark files in both %%_mandir and %%_omandir as docs (RPM4-only)
%global __docdir_path %{__docdir_path}:%{_omandir}
# Disable /usr/share/spec-helper/relink_symlinks
# to make sure that symlinks are not broken
%define dont_relink 1
# Manually control RPATHs
%define dont_remove_rpath 1
# If man pages compression is not set up, skip it
%{?!_compress:%define _compress /bin/true}
%{?!_extension:%define _extension .xz}
# Ideas behind this package are the following:
# - libressl-devel must provide pkgconfig(libressl*)
# - libressl-devel must not provide pkgconfig(openssl),
# pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl)
# to prevent conflicts with OpenSSL
# - packages netcat-openbsd, ocspcheck, libressl are intended to
# comply with FHS, so libtls.so.*, libcrypto.so.* and libssl.so.*
# are packaged into separate packages, RPATHs are removed and
# /usr/bin/* must depend from separate libs packages and will
# use /usr/lib(64)/lib*.so.*
# - there are no per-library devel packages, only one libressl-devel
# with symlinks /opt/libressl/lib/*.so -> /usr/lib(64)/*.so.*
# - not FHS-compilant /opt is used only for devel package to allow
# coinstallability with OpenSSL devel packages
# // mikhailnov, 03.12.2019
# We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not
# get odd provides and break the repository if forgot to rename something.
# Filter out provides like 'devel(libcrypto(64bit))' (they are in OpenSSL).
%global __provides_exclude \
'.*openssl.*|pkgconfig\\(lib(tls|crypto|ssl)\\)|devel\\(lib(tls|crypto|ssl).*\\).*'
%define libcrypto_sover 46
%define libssl_sover 48
%define libtls_sover 20
%define libssl_pkg %mklibname ssl_libressl %{libssl_sover}
%define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover}
%define libtls_pkg %mklibname tls_libressl %{libtls_sover}
# parent commit of https://github.com/libressl-portable/openbsd/commit/a177033
# from which v3.2.0 is tagged
%define commit_openbsd 768c7156952b7df8245172586ca8c4c37d599a47
# https://github.com/libressl-portable/portable is tagged correctly,
# but lets also build from commit for consistency
%define commit_portable 44a6a2397fb9b8d6868ef73d51e6ef79c39b0322
%define _default_patch_fuzz 3
%define config_update %{nil}
# TODO: fix it, introduced by patches from gost-new
%define _disable_ld_no_undefined 1
Summary: LibreSSL utils and libs coexisting with OpenSSL
Name: libressl
Version: 3.2.0
Release: 8
# The code is distributed under ISC license except of original OpenSSL code
License: ISC and BSD-like
Group: System/Base
Url: http://libressl.org
#Source0: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz
Source0: https://github.com/libressl-portable/portable/archive/%{commit_portable}.tar.gz?/libressl-portable-%{commit_portable}.tar.gz
Source1: https://github.com/libressl-portable/openbsd/archive/%{commit_openbsd}.tar.gz?/libressl-openbsd-%{commit_openbsd}.tar.gz
Source10: libressl.rpmlintrc
# Patches for openbsd tree are also commited here:
# https://github.com/mikhailnov/libressl-openbsd/commits/rosa-v3.2.0
# ROSA patch, TODO: add printing config location to `openssl version`
Patch0001: 0001-Allow-custom-config-location.patch
# Support of GOST 2015 and other fixes by lumag@, sponsored by ROSA Linux
# Поддержка TLS 1.2 CNT-IMIT и CTR-OMAC в соответствии с Р 1323565.1.020-2018 и
# draft-smyshlyaev-tls12-gost-suites.
# - Блочные шифры Магма, Кузнечик по ГОСТ Р 34.12-2015.
# - Режимы блочных шифров по ГОСТ Р 34.13-2015
# - Режим CTR-ACPKM по Р 1323565.1.017-2018
# - Режим MGM по Р 13235651.026-2019
# - Формат ключей по Р 1323565.1.023-2018
# - Параметры эллиптических кривых по Р 1323565.1.024-2019
# - Поддержка файлов CMS и PKCS7 по RFC 4490 (в режиме KeyTransport)
# - Поддержка файлов CMS и PKCS7 по Р 1323565.1.025-2019 (кроме режима KEK)
# - Поддержка файлов PKCS#8/PKCS#12 по Р 50.1.112-2016.
# - Поддержка криптонаборов TLS 1.2 по Р 1323565.1.020-2018
# Для поддержки криптонаборов TLS 1.3 с точки зрения ГОСТ все готово,
# поддержка TLS 1.3 в самом LibreSSL пока находится в процессе разработки.
# In process of upstreamization which is going not easily...
# git clone https://github.com/GostCrypt/libressl-openbsd.git -b gost-new
# cd libressl-openbsd
# git format-patch -64 --start-number=101
# ( for i in 01*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $1}'): $i ; done ) | sort -h
# cherry-picked from upstream after v3.2.0 and gost-new
Patch0002: 0002-Remove-expired-certificate-ok-tb.patch
Patch0003: 0003-Properly-document-PKCS7_final-3-which-was-already-me.patch
Patch0004: 0004-distracting-whitespace.patch
Patch0005: 0005-new-manual-page-PKCS7_add_attribute-3.patch
Patch0006: 0006-mention-that-TLS_method-3-also-supports-TLSv1.3.patch
Patch0007: 0007-minor-polishing.patch
Patch0008: 0008-Apply-some-style-9.patch
Patch0009: 0009-Add-support-for-additional-GOST-curves.patch
Patch0010: 0010-Add-a-few-more-errors-to-help-debugging.patch
Patch0011: 0011-Add-OIDs-for-HMAC-using-Streebog-GOST-R-34.11-2012-h.patch
Patch0012: 0012-Allow-GOST-R-34.11-2012-in-PBE-PBKDF2-PKCS-5.patch
Patch0013: 0013-Enable-GOST_SIG_FORMAT_RS_LE-when-verifying-certific.patch
Patch0014: 0014-Handle-GOST-in-ssl_cert_dup.patch
Patch0015: 0015-Stop-sending-GOST-R-34.10-94-as-a-CertificateType.patch
Patch0016: 0016-Use-IANA-allocated-GOST-ClientCertificateTypes.patch
Patch0017: 0017-Add-a-custom-copy-handler-for-AES-key-wrap.patch
Patch0018: 0018-document-PKCS7_get_signer_info-3.patch
Patch0019: 0019-wording-tweaks-from-ross-l-richardson-and-tb.patch
Patch0020: 0020-document-PEM_ASN1_read-3-and-PEM_ASN1_read_bio-3.patch
Patch0021: 0021-add-a-comment-saying-that-name_cmp-is-intentionally-.patch
Patch0022: 0022-add-my-Copyright-and-license-which-i-forgot-when-add.patch
Patch0023: 0023-Document-PEM_def_callback-3.patch
Patch0024: 0024-Document-EVP_read_pw_string_min-3.patch
Patch0025: 0025-gost-populate-params-tables-with-new-curves.patch
Patch0026: 0026-gost-use-ECerror-to-report-EC-errors.patch
Patch0027: 0027-gost-support-new-PublicKeyParameters-format.patch
Patch0028: 0028-gostr341001-support-unwrapped-private-keys-support.patch
Patch0029: 0029-pkcs12-add-support-for-GOST-PFX-files.patch
Patch0030: 0030-modes-add-functions-implementing-common-code-for-64-.patch
Patch0031: 0031-gost-drop-key_len-from-Gost28147_set_key.patch
Patch0032: 0032-gost-use-key_meshing-for-specifying-section-size.patch
Patch0033: 0033-gost-add-support-for-magma-cipher.patch
Patch0034: 0034-gost-add-support-for-kuznyechik-cipher.patch
Patch0035: 0035-kuznyechik-fix-IV-handling-for-CTR-mode.patch
Patch0036: 0036-magma-fix-IV-handling-for-CTR-mode.patch
Patch0037: 0037-gost-add-support-for-ACPKM-rekeying.patch
Patch0038: 0038-gost-add-support-for-GOST-34.12-Magma-Kuznyechik-enc.patch
Patch0039: 0039-gost-add-support-for-magma-ctr-acpkm-mode.patch
Patch0040: 0040-gost-add-support-for-kuznyechik-ctr-acpkm-mode.patch
Patch0041: 0041-kdftree-add-functions-implementing-KDF_TREE-function.patch
Patch0042: 0042-gost-add-support-for-new-GOST-key-transport-data-for.patch
Patch0043: 0043-modes-add-support-for-128-bit-MGM-mode.patch
Patch0044: 0044-modes-add-support-for-64-bit-MGM-mode.patch
Patch0045: 0045-gost-add-kuznyechik-mgm-support.patch
Patch0046: 0046-gost-add-magma-mgm-support.patch
Patch0047: 0047-regress-evp-add-simple-test-for-AEAD-ciphers.patch
Patch0048: 0048-evp-add-EVP_CIPHER-interface-for-kuznyechik-mgm.patch
Patch0049: 0049-evp-add-EVP_CIPHER-interface-for-magma-mgm.patch
Patch0050: 0050-evp-add-support-for-Kuznyechik-ctr-acpkm-omac-cipher.patch
Patch0051: 0051-evp-add-support-for-Magma-ctr-acpkm-omac-cipher.patch
Patch0052: 0052-gost-restore-CMS-support.patch
Patch0053: 0053-gost-add-support-for-CMS-and-SMIME-enveloped-files.patch
Patch0054: 0054-cms-add-support-for-using-AEAD-ciphers-in-CMS-files.patch
Patch0055: 0055-cms-populate-SMIMECaps-with-new-GOST-algorithms.patch
Patch0056: 0056-cms-allow-keys-support-different-RI-types.patch
Patch0057: 0057-evp-support-kuznyechik-kexp15-keywrap-algorithm.patch
Patch0058: 0058-evp-support-magma-kexp15-keywrap-algorithm.patch
Patch0059: 0059-gost-support-specifying-old-or-new-KEG-derivation-fo.patch
Patch0060: 0060-cms-add-support-for-setting-KeyAgreement-UKM.patch
Patch0061: 0061-cms-select-proper-cipher-for-GOST-KeyAgreeement.patch
Patch0062: 0062-cms-specify-originator-key-for-KeyAgreement-decoding.patch
Patch0063: 0063-cms-support-specifying-originator-certificate-and-ke.patch
Patch0064: 0064-gost-add-support-for-decoding-KeyAgreement-CMS-files.patch
Patch0065: 0065-cms-autoguess-preferred-RecipientInfo-type.patch
Patch0066: 0066-Fix-S-Box-used-for-CipherKeyExchange-message-in-GOST.patch
Patch0067: 0067-gost-pmeth-check-that-result-of-data-encryption-woul.patch
Patch0068: 0068-ssl_sigalgs-select-proper-default-algorithm-for-GOST.patch
Patch0069: 0069-ssl-add-support-for-IANA-allocated-GOST-sigalgs-valu.patch
Patch0070: 0070-ssl-provide-interoperability-with-CryptoPro-CSP.patch
Patch0071: 0071-ssl-do-not-send-GOST-94-certificate-type.patch
Patch0072: 0072-ssl-add-support-for-new-GOST-CNT-IMIT-ciphersuite-va.patch
Patch0073: 0073-evp-add-EVP_PKEY_new_CMAC_key-function.patch
Patch0074: 0074-evp-fix-sign-verify-for-EVP_PKEY_CMAC-keys.patch
Patch0075: 0075-evp-fix-EVP_MD_CTX_copy_ex-for-CMAC-contexts.patch
Patch0076: 0076-objects-add-id-for-gost-kdf-key-exchange-for-CTR-OMA.patch
Patch0077: 0077-ssl-add-defines-for-GOST-CTR-OMAC-ciphersuites.patch
Patch0078: 0078-ssl-add-support-for-GOST-KDF-key-exchange.patch
Patch0079: 0079-ssl-support-selecting-CMAC-for-CTR-OMAC-ciphersuites.patch
Patch0080: 0080-ssl-select-ACPKM-session-size-for-CTR-OMAC-ciphersui.patch
Patch0081: 0081-ssl-fix-Finished-message-length-for-CTR-OMAC-ciphers.patch
Patch0082: 0082-ssl-fix-CMAC-support.patch
Patch0083: 0083-ssl-merge-read-and-write-sequence-secrets-into-commo.patch
Patch0084: 0084-ssl-drop-mac_flags-field.patch
Patch0085: 0085-ssl-support-IV-increments-for-GOST-CTR-OMAC-ciphersu.patch
Patch0086: 0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch
Patch0087: 0087-ssl-add-support-for-TLSTREE-rekeying.patch
# https://www.opennet.ru/opennews/art.shtml?num=54233
# https://github.com/libressl-portable/openbsd/commit/f22d7684aed13a9ae9ea6554b7a3e52fdfa4f193
# From LibreSSL 3.2.3
Patch0088: 0088-CVE-2020-1971.patch
# https://www.opennet.ru/opennews/art.shtml?num=55683
# https://github.com/libressl-portable/openbsd/commit/89d74f9b9c8c0b042e81aecb6c286253a51659d8
# From LibreSSL 3.2.6
Patch0089: 0089-CVE-2021-3712.patch
# TODO:
# https://www.opennet.ru/opennews/art.shtml?num=54774
# https://github.com/libressl-portable/openbsd/commit/5f00b800749f246861e892a17d9012bd25fc06ba (LibreSSL 3.2.5)
# Code is different in our version, investigation if backport is required is required.
# Patches for portable, from lumag@
# ( for i in *PORTABLE*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $2}'): $i ; done ) | sed -e 's,^Patch0,Patch2,g' | sort -h
# These patches for portable tree extend patches above for openbsd tree
# and have the same numbers
Patch2030: PORTABLE-0030-modes-add-functions-implementing-common-code-for-64-.patch
Patch2033: PORTABLE-0033-gost-add-support-for-magma-cipher.patch
Patch2034: PORTABLE-0034-gost-add-support-for-kuznyechik-cipher.patch
Patch2041: PORTABLE-0041-kdftree-add-functions-implementing-KDF_TREE-function.patch
Patch2042: PORTABLE-0042-gost-add-support-for-new-GOST-key-transport-data-for.patch
Patch2043: PORTABLE-0043-modes-add-support-for-128-bit-MGM-mode.patch
Patch2044: PORTABLE-0044-modes-add-support-for-64-bit-MGM-mode.patch
Patch2086: PORTABLE-0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch
Patch2100: PORTABLE-0100-fixup-build.patch
# If both openssl and libressl libraries are loaded into one runtime,
# versioning their symbols will or may allow them to coexist
Patch2200: PORTABLE-2200-SUSE-extra-symver.patch
# From https://www.mitchr.me/SS/exampleCode/openssl.html
Source20: test.c
Source22: test2.c
# From import/openssl, originates from Fedora
Source25: test5.c
# From Linux kernel 5.3.15, scripts/sign-file.c
Source29: test9.c
# To get %%_openssldir and for %%check
BuildRequires: openssl-devel
BuildRequires: pkgconfig(zlib)
#BuildRequires(check)
BuildRequires: gostsum
# readelf <...> | <...>
BuildRequires: binutils grep gawk
BuildRequires: chrpath
# This LibreSSL uses /etc/pki/tls from system OpenSSL
# but most functions will work without its files
Recommends: openssl
%description
LibreSSL utils and libs coexisting with OpenSSL.
GOST is supported out of the box.
%files
%doc ChangeLog COPYING
# %%_bindir here is /opt/libressl/bin
# %%_obindir is /usr/bin
# %%_mandir is /opt/libressl/share/man
# %%_omandir is /usr/share/man
%{_obindir}/libressl
%config(noreplace) %{_openssldir}/libressl.cnf
%config(noreplace) %{_openssldir}/x509v3.cnf
%{_omandir}/*/*
%exclude %{_omandir}/man3/*
%exclude %{_omandir}/*/nc.*
%exclude %{_omandir}/*/netcat.*
%exclude %{_omandir}/*/ocspcheck.*
#-------------------------------------------------------------------------------------
%package -n %{libcrypto_pkg}
Summary: libcrypto library from LibreSSL
Group: System/Libraries
%description -n %{libcrypto_pkg}
libcrypto library from LibreSSL
%files -n %{libcrypto_pkg}
%{_olibdir}/libcrypto.so.%{libcrypto_sover}*
#-------------------------------------------------------------------------------------
%package -n %{libssl_pkg}
Summary: libssl library from LibreSSL
Group: System/Libraries
%description -n %{libssl_pkg}
libssl library from LibreSSL
%files -n %{libssl_pkg}
%{_olibdir}/libssl.so.%{libssl_sover}*
#-------------------------------------------------------------------------------------
%package -n %{libtls_pkg}
Summary: libtls library from LibreSSL
Group: System/Libraries
%description -n %{libtls_pkg}
libtls library from LibreSSL
%files -n %{libtls_pkg}
%{_olibdir}/libtls.so.%{libtls_sover}*
#-------------------------------------------------------------------------------------
%package devel
Summary: LibreSSL devel package
Group: Development/C
Requires: %{name} = %{EVRD}
# symlinks /opt/libressl/lib/*.so.* -> /usr/lib(64)/*.so.*
Requires: %{libcrypto_pkg} = %{EVRD}
Requires: %{libtls_pkg} = %{EVRD}
Requires: %{libssl_pkg} = %{EVRD}
# Add provides to pull this package by common devel names
Provides: %{mklibname crypto_libressl -d} = %{EVRD}
Provides: %{mklibname tls_libressl -d} = %{EVRD}
Provides: %{mklibname ssl_libressl -d} = %{EVRD}
# Automatic provides like 'devel(libcrypto(64bit))' are blocked by
# filters to prevent conflicts with OpenSSL
# devel(libfoo) are RPM_VENDOR_MANDRIVA-specific in RPM 5
# TODO: probably no real need in emulating devel(libfoo)
%if 0%{?mdvver}
%if "%{?_lib}" == "lib64"
%define b64 (64bit)
%else
%define b64 %{nil}
%endif
Provides: devel(libressl-libtls%{b64})
Provides: devel(libressl-libcrypto%{b64})
Provides: devel(libressl-libssl%{b64})
%endif
%description devel
LibreSSL devel package. Devel libraries are in %{_libdir},
runtime librararies are in %{_olibdir},
pkg-config sets -I%{_libdir} in CFLAGS.
%files devel
%doc ChangeLog COPYING
%{_libdir}/*.so
# symlinks to %%{_olibdir}/*.so.*, only for devel package
%{_libdir}/*.so.*
%{_olibdir}/pkgconfig/*.pc
%{_includedir}
%{_mandir}/*/*
%{_omandir}/man3/*
%{_rpmmacrodir}/*libressl*
#-------------------------------------------------------------------------------------
%package -n ocspcheck
Summary: Utility to validate certificates
Group: System/Base
%description -n ocspcheck
Utility to validate a certificate against its OCSP responder and
save the reply for stapling
%files -n ocspcheck
%doc ChangeLog COPYING
%{_obindir}/ocspcheck
%{_omandir}/man*/ocspcheck.*
#-------------------------------------------------------------------------------------
%package -n netcat-openbsd
Summary: Reads and writes data across network connections using TCP or UDP
Group: System/Base
Conflicts: netcat < 1.0
Conflicts: netcat-traditional
Conflicts: netcat-gnu
# netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced
#Obsoletes: netcat-openbsd < 1.89.1
Provides: netcat-tls = %{EVRD}
Provides: netcat-libressl = %{EVRD}
Provides: nc = %{EVRD}
# Provide "netcat" to satisfy deps of packages which require _any_
# implementation of netcat.
# But make this netcat the default one, so,
# while other packages provide "netcat = 1.0",
# provide a higher version here to make this package
# the default candidate to be installed as "netcat".
%if %{mdvver} > 201610
Provides: netcat = %{EVRD}
# other netcats were removed due to their upstreams being dead
Obsoletes: netcat-gnu < 0.7.2
Obsoletes: netcat-traditional < 111
%else
# keep old default in rosa2016.1
Provides: netcat = 1.0
%endif
%description -n netcat-openbsd
The nc package contains Netcat (the program is actually nc), a simple
utility for reading and writing data across network connections, using
the TCP or UDP protocols. Netcat is intended to be a reliable back-end
tool which can be used directly or easily driven by other programs and
scripts. Netcat is also a feature-rich network debugging and
exploration tool, since it can create many different connections and
has many built-in capabilities.
You may want to install the netcat package if you are administering a
network and you'd like to use its debugging and network exploration
capabilities.
%files -n netcat-openbsd
%doc ChangeLog COPYING
%{_obindir}/nc
%{_obindir}/netcat
%{_omandir}/man*/nc.*
%{_omandir}/man*/netcat.*
#-------------------------------------------------------------------------------------
%prep
%setup -q -n portable-%{commit_portable} -a1
# Emulating creation of release tarball...
mv openbsd-%{commit_openbsd} openbsd
( cd openbsd
# First apply patches and then run a script which will copy files etc.
for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep -v '/PORTABLE\-' | sort -h); do
echo "Applying openbsd patch $i"
patch -p1 < "$i"
done
)
sed -i -e 's,git ,true ,g' update.sh
sed -i -e 's,./update.sh,sh -x ./update.sh,g' autogen.sh
sh -x ./autogen.sh | tee autogen0.log
# Protection against incorrect updates, e.g. by updates_tracker
grep -q "^LibreSSL version %{version}$" autogen0.log
rm -f autogen0.log
# Now apply patches on top of portable edition after all files have been generated
for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep '/PORTABLE\-' | sort -h); do
echo "Applying portable patch $i"
patch -p1 < "$i"
done
# Rerun after patching
sh -x update.sh
%build
%setup_compile_flags
%serverbuild
# Use the same %%_openssl dir with OpenSSL, but separate the config
# (note that we patch libressl, X509_CONF_FILE is not upstream)
export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'"
#autoreconf -if #Source21
# static libs are required for tests target in Makefile
cp -fv /usr/share/libtool/config/config.* .
%configure \
--enable-nc \
--enable-static \
--with-openssldir=%{_openssldir}
%make_build
%install
set +f # explicitly enable shell globbing
%make_install
# Some ideas about mans are from ALT Linux spec
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1
mkdir -p %{buildroot}%{_mandir}/man8/
install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8
for i in $(seq 1 8)
do
man_dir="%{buildroot}%{_mandir}/man${i}"
if [ ! -d "$man_dir" ]; then continue; fi
( cd "$man_dir"
grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || :
if find . -name 'libressl_*' | grep -q '.' ; then
echo 'Rewrite spec because upstream libressl_* manpages appeared!'
exit 1
fi
# Make all man pages with potentially the same names as in OpenSSL
# be avaialble in standard man directories, but prevent conflicts with OpenSSL
for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do
openssl_LibreSSL_manpage="libressl_${openssl_manpage}"
cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
done
for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do
openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')"
cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
done
)
done
mkdir -p %{buildroot}%{_omandir}
cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/
# We have put libressl_ prefixed mans to system man directory,
# now delete them from /opt/libressl/share/man to leave
# mans with original names in /opt/libressl/share/man
# Mans with original names will be included to devel package only
rm -fv %{buildroot}%{_mandir}/*/libressl_*
rm -fv %{buildroot}%{_omandir}/*/openssl.*
( cd %{buildroot}%{_omandir}/man3 ; rm -fv $(ls -1v | grep -v '^libressl_') )
# Fully delete other mans from /opt
rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}*
# Manually compress man pages because we use both
# /usr/share/man and /opt/libressl/share/man,
# /usr/lib/rpm/brp-compress will not compress both of them
mkdir tmp
( cd tmp
sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \
%{_usrlibrpm}/brp-compress > ./brp-compress.sh
chmod +x ./brp-compress.sh
COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh
)
mkdir -p %{buildroot}%{_obindir}
mv -v %{buildroot}%{_bindir}/{nc,ocspcheck,openssl} %{buildroot}%{_obindir}/
mv -v %{buildroot}%{_obindir}/openssl %{buildroot}%{_obindir}/libressl
( cd %{buildroot}%{_obindir} ; ln -s nc netcat )
( cd %{buildroot}%{_includedir} ; ln -s openssl libressl )
# Remove static libs
( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a )
mkdir -p %{buildroot}/%{_olibdir}/pkgconfig
mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig
for i in share %{_lib}
do
pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig"
if [ ! -d "$pkgconfig_dir" ]; then continue; fi
( cd "$pkgconfig_dir"
for f in *.pc
do
if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then
echo "Name in $f is not prefixed with LibreSSL-"
exit 1
fi
# Restore ability to work with custom prefix
# It is lost due to --exec_prefix=XXX in %%configure
sed -i -r \
-e 's,^exec_prefix=.+,exec_prefix=${prefix},' \
-e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \
-e 's,^includedir=.+,includedir=${prefix}/include,' \
"$f"
mv -v "$f" "libressl-${f}"
# Requires: libxx -> Requires: libressl-libxx
sed -i \
-e 's/libcrypto/libressl-libcrypto/g' \
-e 's/libtls/libressl-liblts/g' \
-e 's/libssl/libressl-libssl/g' \
-e 's/libressl-libressl-/libressl-/g' \
"libressl-${f}"
if [ -f libressl-openssl.pc ]; then
mv -v libressl-openssl.pc libressl.pc
fi
done
)
done
mv -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/
( cd %{buildroot}/%{_libdir}/
for i in %{buildroot}/%{_olibdir}/{libcrypto,libtls,libssl}.so.*
do
filename="$(basename "$i")"
# /opt/libressl/lib
# /usr/lib64/
# Relative symlink is required to use *.so in tests...
ln -s ../../../"%{_olibdir}/${filename}" "$filename"
done
)
if [ "$(find %{buildroot}/%{_libdir}/ -iname '*.so.*' -type f | wc -l)" -gt 0 ]; then
echo "Some shared libraries were not relocated!"
exit 1
fi
chrpath --delete %{buildroot}/%{_olibdir}/*.so.*
chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck,libressl}
# Stuff from system OpenSSL will be used
rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem}
mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf
# Having sovers as macros may be useful to check that binaries are linked against LibreSSL
cat << EOF > macros.file
%%libressl_version %{version}
%%libressl_libcrypto_sover %{libcrypto_sover}
%%libressl_libssl_sover %{libssl_sover}
%%libressl_libtls_sover %{libtls_sover}
%%libressl_prefix /opt/libressl
EOF
%install_macro libressl macros.file
%check
_pcf(){
unset oflags nflags
oflags="$(eval $@)"
nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')"
}
libressl="%{buildroot}/%{_obindir}/libressl"
# These tests caught a lot of mistakes during first builds
export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig
export LD_LIBRARY_PATH=%{buildroot}/%{_olibdir}
# (test 1) Check that openssldir is correct
$libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$'
# (test 2) Check that path to config file is correct
# and also check that pkg-config libressl points to libressl, not openssl
_pcf pkg-config --libs --cflags libressl
%__cc -o test2 %{SOURCE22} $nflags
ldd ./test2
[ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1
# Check that our pkgconfig hacks somehow work
# (test 3) There is no /opt/libressl/ at build time
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test3 %{SOURCE20} $nflags
ldd ./test3
ldd ./test3 | grep 'libcrypto\.so\.%{libcrypto_sover}'
./test3 | grep Hello
# (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly
# (build with libcrypto from OpenSSL)
_pcf pkg-config --libs --cflags libcrypto
%__cc -o test4 %{SOURCE20} $nflags
ldd ./test4
ldd ./test4 | grep -v '/libcrypto\.so\.%{libcrypto_sover}'
./test4 | grep Hello
# (test 5) Check that flags from all *.pc are valid
# libtls is overlinking here, but check linking
_pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto
%__cc -o test5 %{SOURCE25} $nflags -lpthread -lz -ldl
ldd ./test5
ldd ./test5 | grep '/libcrypto\.so\.%{libcrypto_sover}'
ldd ./test5 | grep '/libssl\.so\.%{libssl_sover}'
ldd ./test5 | grep '/libtls\.so\.%{libtls_sover}'
./test5 --threads 2
# (test 6) Check that gost12sum (from OpenSSL gost-engine) and LibreSSL give the same result
# This also simply checks that checksums by GOST do work
echo test6 > ./test6
# gost12sum is Streebog-256, gostsum -l is Streebog-512
_gost12sum="$(gost12sum ./test6 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog256 ./test6 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
# (test 7) The same for Streebog-512
echo test7 > ./test7
_gost12sum="$(gost12sum -l ./test7 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog512 ./test7 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
unset _gost12sum _libressl
# (test 8) Check that LibreSSL and gostsum use different byte order in GOST R 34.11-94 hashes
# https://ru.wikipedia.org/wiki/ГОСТ_Р_34.11-94#Формат_вывода
# ...and that their hash tables do not differ
# https://github.com/gost-engine/engine/issues/189
# If byte orders change, package maintainers must become aware of this via this test failing
# Running the same hashsumming for multiple times checks that results do not randomize
echo test8 > ./test8
_gs_beg="$(gostsum ./test8 | awk '{print $1}' | head -c2)"
_gs_end="$(gostsum ./test8 | awk '{print $1}' | tail -c3)" #-c3 because of EOL
_ls_beg="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | head -c2)"
_ls_end="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | tail -c3)"
_gs_length="$(gostsum ./test8 | awk '{print $1}' | wc -c)"
_ls_length="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | wc -c)"
[ "$_gs_beg" = "$_ls_end" ] && \
[ "$_gs_end" = "$_ls_beg" ] && \
[ "$_gs_length" = "$_ls_length" ] || exit 1
unset _gs_beg _gs_end _ls_beg _ls_end _gs_length _ls_length
# (test 9) Test ability to sign using program that requires OPENSSL_NO_CMS to de undefined
# https://bugzilla.kernel.org/show_bug.cgi?id=202159
# and ability to generate GOST R 34.10-12 keys
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test9 %{SOURCE29} $nflags
export OPENSSL_CONF=%{buildroot}%{_openssldir}/libressl.cnf
$libressl ecparam -genkey -name id-tc26-gost-3410-12-512-paramSetA -out priv.key -outform PEM
$libressl req -batch -new -x509 -nodes -key priv.key -out pem1.pem \
-subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root"
# Also possible to gen a new key and a certificate in one command:
# libressl req <...> -newkey ec -pkeyopt ec_paramgen_curve:id-tc26-gost-3410-12-512-paramSetA
# Signature Algorithm: ecdsa-with-SHA256
$libressl x509 -in pem1.pem -text -noout | grep -E 'Signature Algorithm:.*ecdsa-with-SHA256'
$libressl req -new -nodes -utf8 -batch -x509 -newkey gost2001 \
-pkeyopt dgst:streebog512 -pkeyopt paramset:A -streebog512 \
-days 109500 \
-subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root" \
-outform PEM -out pem2.pem -keyout pem2.pem
$libressl x509 -in pem2.pem -text -noout
$libressl x509 -in pem2.pem -text -noout | grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
$libressl x509 -in pem2.pem -text -noout | grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
$libressl x509 -in pem2.pem -text -noout | grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
echo 123 > test9_file1
echo 123 > test9_file2
# Known to fail with: "CMS routines:func(4095):not supported for this key type"
./test9 streebog512 priv.key pem1.pem test9_file1 || :
$libressl dgst -streebog512 -sign pem2.pem test9_file2 > test9_file2.sig
./test9 -s test9_file2.sig streebog512 pem2.pem test9_file2
strings test9_file2 | tail -n 1 | grep -q '~Module signature appended~'
Reference in a new issue View git blame Copy permalink