libressl/libressl.spec

# Initial purpose of packaging LibreSSL was the need to have a handy
# tool to work with GOST keys easily (LibreSSL has GOSTs out of the box).
# netcat-openbsd is now also packaged here.
# LibreSSL is a fork of OpenSSL and has same libraries, binaries
# and fucntions names, that is why it cannot coexist with OpenSSL
# easily and is packages to a separate prefix here.
# Remember some directories before changing %%_prefix, o - original
%define _oprefix /usr
%define _obindir %{_oprefix}/bin
%define _omandir %{_oprefix}/share/man
%define _olibdir %{_oprefix}/%{_lib}
# We need to override macros set in platform
%define _prefix /opt/libressl
%define _bindir %{_prefix}/bin
%define _includedir %{_prefix}/include
%define _libdir %{_prefix}/lib
%define _libexecdir %{_prefix}/libexec
%define _datadir %{_prefix}/share
%define _mandir %{_datadir}/man
# Keep package docs in normal locations
%define _defaultdocdir %{_oprefix}/share/doc
# RPM 4 by default looks for *.pc in %%_libdir which is redefined
%global __pkgconfig_path ^(%{_olibdir}/pkgconfig/.*\\.pc|%{_obindir}/pkg-config)$
# Make RPM mark files in both %%_mandir and %%_omandir as docs (RPM4-only)
%global __docdir_path %{__docdir_path}:%{_omandir}
# Disable /usr/share/spec-helper/relink_symlinks
# to make sure that symlinks are not broken
%define dont_relink 1
# Manually control RPATHs
%define dont_remove_rpath 1
# If man pages compression is not set up, skip it
%{?!_compress:%define _compress /bin/true}
%{?!_extension:%define _extension .xz}

# Ideas behind this package are the following:
# - libressl-devel must provide pkgconfig(libressl*)
# - libressl-devel must not provide pkgconfig(openssl),
#   pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl)
#   to prevent conflicts with OpenSSL
# - packages netcat-openbsd, ocspcheck, libressl are intended to
#   comply with FHS, so libtls.so.*, libcrypto.so.* and libssl.so.*
#   are packaged into separate packages, RPATHs are removed and
#   /usr/bin/* must depend from separate libs packages and will
#   use /usr/lib(64)/lib*.so.*
# - there are no per-library devel packages, only one libressl-devel
#   with symlinks /opt/libressl/lib/*.so -> /usr/lib(64)/*.so.*
# - not FHS-compilant /opt is used only for devel package to allow
#   coinstallability with OpenSSL devel packages
# // mikhailnov, 03.12.2019
# We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not
# get odd provides and break the repository if forgot to rename something.
# Filter out provides like 'devel(libcrypto(64bit))' (they are in OpenSSL).
%global __provides_exclude \
'.*openssl.*|pkgconfig\\(lib(tls|crypto|ssl)\\)|devel\\(lib(tls|crypto|ssl).*\\).*'

%define libcrypto_sover 46
%define libssl_sover 48
%define libtls_sover 20
%define libssl_pkg %mklibname ssl_libressl %{libssl_sover}
%define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover}
%define libtls_pkg %mklibname tls_libressl %{libtls_sover}

# parent commit of https://github.com/libressl-portable/openbsd/commit/a177033
# from which v3.2.0 is tagged
%define commit_openbsd 768c7156952b7df8245172586ca8c4c37d599a47
# https://github.com/libressl-portable/portable is tagged correctly,
# but lets also build from commit for consistency
%define commit_portable 44a6a2397fb9b8d6868ef73d51e6ef79c39b0322

%define _default_patch_fuzz 3
%define config_update %{nil}

# TODO: fix it, introduced by patches from gost-new
%define _disable_ld_no_undefined 1

Summary:		LibreSSL utils and libs coexisting with OpenSSL
Name:			libressl
Version:		3.2.0
Release:		8
# The code is distributed under ISC license except of original OpenSSL code
License:		ISC and BSD-like
Group:			System/Base
Url:			http://libressl.org
#Source0:		https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz
Source0:		https://github.com/libressl-portable/portable/archive/%{commit_portable}.tar.gz?/libressl-portable-%{commit_portable}.tar.gz
Source1:		https://github.com/libressl-portable/openbsd/archive/%{commit_openbsd}.tar.gz?/libressl-openbsd-%{commit_openbsd}.tar.gz
Source10:		libressl.rpmlintrc

# Patches for openbsd tree are also commited here:
# https://github.com/mikhailnov/libressl-openbsd/commits/rosa-v3.2.0

# ROSA patch, TODO: add printing config location to `openssl version`
Patch0001: 0001-Allow-custom-config-location.patch

# Support of GOST 2015 and other fixes by lumag@, sponsored by ROSA Linux
# Поддержка TLS 1.2 CNT-IMIT и CTR-OMAC в соответствии с Р 1323565.1.020-2018 и
# draft-smyshlyaev-tls12-gost-suites.
# - Блочные шифры Магма, Кузнечик по ГОСТ Р 34.12-2015.
# - Режимы блочных шифров по ГОСТ Р 34.13-2015
# - Режим CTR-ACPKM по Р 1323565.1.017-2018
# - Режим MGM по Р 13235651.026-2019
# - Формат ключей по Р 1323565.1.023-2018
# - Параметры эллиптических кривых по Р 1323565.1.024-2019
# - Поддержка файлов CMS и PKCS7 по RFC 4490 (в режиме KeyTransport)
# - Поддержка файлов CMS и PKCS7 по Р 1323565.1.025-2019 (кроме режима KEK)
# - Поддержка файлов PKCS#8/PKCS#12 по Р 50.1.112-2016.
# - Поддержка криптонаборов TLS 1.2 по Р 1323565.1.020-2018
# Для поддержки криптонаборов TLS 1.3 с точки зрения ГОСТ все готово,
# поддержка TLS 1.3 в самом LibreSSL пока находится в процессе разработки.
# In process of upstreamization which is going not easily...
# git clone https://github.com/GostCrypt/libressl-openbsd.git -b gost-new
# cd libressl-openbsd
# git format-patch -64 --start-number=101
# ( for i in 01*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $1}'): $i ; done ) | sort -h
# cherry-picked from upstream after v3.2.0 and gost-new
Patch0002: 0002-Remove-expired-certificate-ok-tb.patch
Patch0003: 0003-Properly-document-PKCS7_final-3-which-was-already-me.patch
Patch0004: 0004-distracting-whitespace.patch
Patch0005: 0005-new-manual-page-PKCS7_add_attribute-3.patch
Patch0006: 0006-mention-that-TLS_method-3-also-supports-TLSv1.3.patch
Patch0007: 0007-minor-polishing.patch
Patch0008: 0008-Apply-some-style-9.patch
Patch0009: 0009-Add-support-for-additional-GOST-curves.patch
Patch0010: 0010-Add-a-few-more-errors-to-help-debugging.patch
Patch0011: 0011-Add-OIDs-for-HMAC-using-Streebog-GOST-R-34.11-2012-h.patch
Patch0012: 0012-Allow-GOST-R-34.11-2012-in-PBE-PBKDF2-PKCS-5.patch
Patch0013: 0013-Enable-GOST_SIG_FORMAT_RS_LE-when-verifying-certific.patch
Patch0014: 0014-Handle-GOST-in-ssl_cert_dup.patch
Patch0015: 0015-Stop-sending-GOST-R-34.10-94-as-a-CertificateType.patch
Patch0016: 0016-Use-IANA-allocated-GOST-ClientCertificateTypes.patch
Patch0017: 0017-Add-a-custom-copy-handler-for-AES-key-wrap.patch
Patch0018: 0018-document-PKCS7_get_signer_info-3.patch
Patch0019: 0019-wording-tweaks-from-ross-l-richardson-and-tb.patch
Patch0020: 0020-document-PEM_ASN1_read-3-and-PEM_ASN1_read_bio-3.patch
Patch0021: 0021-add-a-comment-saying-that-name_cmp-is-intentionally-.patch
Patch0022: 0022-add-my-Copyright-and-license-which-i-forgot-when-add.patch
Patch0023: 0023-Document-PEM_def_callback-3.patch
Patch0024: 0024-Document-EVP_read_pw_string_min-3.patch
Patch0025: 0025-gost-populate-params-tables-with-new-curves.patch
Patch0026: 0026-gost-use-ECerror-to-report-EC-errors.patch
Patch0027: 0027-gost-support-new-PublicKeyParameters-format.patch
Patch0028: 0028-gostr341001-support-unwrapped-private-keys-support.patch
Patch0029: 0029-pkcs12-add-support-for-GOST-PFX-files.patch
Patch0030: 0030-modes-add-functions-implementing-common-code-for-64-.patch
Patch0031: 0031-gost-drop-key_len-from-Gost28147_set_key.patch
Patch0032: 0032-gost-use-key_meshing-for-specifying-section-size.patch
Patch0033: 0033-gost-add-support-for-magma-cipher.patch
Patch0034: 0034-gost-add-support-for-kuznyechik-cipher.patch
Patch0035: 0035-kuznyechik-fix-IV-handling-for-CTR-mode.patch
Patch0036: 0036-magma-fix-IV-handling-for-CTR-mode.patch
Patch0037: 0037-gost-add-support-for-ACPKM-rekeying.patch
Patch0038: 0038-gost-add-support-for-GOST-34.12-Magma-Kuznyechik-enc.patch
Patch0039: 0039-gost-add-support-for-magma-ctr-acpkm-mode.patch
Patch0040: 0040-gost-add-support-for-kuznyechik-ctr-acpkm-mode.patch
Patch0041: 0041-kdftree-add-functions-implementing-KDF_TREE-function.patch
Patch0042: 0042-gost-add-support-for-new-GOST-key-transport-data-for.patch
Patch0043: 0043-modes-add-support-for-128-bit-MGM-mode.patch
Patch0044: 0044-modes-add-support-for-64-bit-MGM-mode.patch
Patch0045: 0045-gost-add-kuznyechik-mgm-support.patch
Patch0046: 0046-gost-add-magma-mgm-support.patch
Patch0047: 0047-regress-evp-add-simple-test-for-AEAD-ciphers.patch
Patch0048: 0048-evp-add-EVP_CIPHER-interface-for-kuznyechik-mgm.patch
Patch0049: 0049-evp-add-EVP_CIPHER-interface-for-magma-mgm.patch
Patch0050: 0050-evp-add-support-for-Kuznyechik-ctr-acpkm-omac-cipher.patch
Patch0051: 0051-evp-add-support-for-Magma-ctr-acpkm-omac-cipher.patch
Patch0052: 0052-gost-restore-CMS-support.patch
Patch0053: 0053-gost-add-support-for-CMS-and-SMIME-enveloped-files.patch
Patch0054: 0054-cms-add-support-for-using-AEAD-ciphers-in-CMS-files.patch
Patch0055: 0055-cms-populate-SMIMECaps-with-new-GOST-algorithms.patch
Patch0056: 0056-cms-allow-keys-support-different-RI-types.patch
Patch0057: 0057-evp-support-kuznyechik-kexp15-keywrap-algorithm.patch
Patch0058: 0058-evp-support-magma-kexp15-keywrap-algorithm.patch
Patch0059: 0059-gost-support-specifying-old-or-new-KEG-derivation-fo.patch
Patch0060: 0060-cms-add-support-for-setting-KeyAgreement-UKM.patch
Patch0061: 0061-cms-select-proper-cipher-for-GOST-KeyAgreeement.patch
Patch0062: 0062-cms-specify-originator-key-for-KeyAgreement-decoding.patch
Patch0063: 0063-cms-support-specifying-originator-certificate-and-ke.patch
Patch0064: 0064-gost-add-support-for-decoding-KeyAgreement-CMS-files.patch
Patch0065: 0065-cms-autoguess-preferred-RecipientInfo-type.patch
Patch0066: 0066-Fix-S-Box-used-for-CipherKeyExchange-message-in-GOST.patch
Patch0067: 0067-gost-pmeth-check-that-result-of-data-encryption-woul.patch
Patch0068: 0068-ssl_sigalgs-select-proper-default-algorithm-for-GOST.patch
Patch0069: 0069-ssl-add-support-for-IANA-allocated-GOST-sigalgs-valu.patch
Patch0070: 0070-ssl-provide-interoperability-with-CryptoPro-CSP.patch
Patch0071: 0071-ssl-do-not-send-GOST-94-certificate-type.patch
Patch0072: 0072-ssl-add-support-for-new-GOST-CNT-IMIT-ciphersuite-va.patch
Patch0073: 0073-evp-add-EVP_PKEY_new_CMAC_key-function.patch
Patch0074: 0074-evp-fix-sign-verify-for-EVP_PKEY_CMAC-keys.patch
Patch0075: 0075-evp-fix-EVP_MD_CTX_copy_ex-for-CMAC-contexts.patch
Patch0076: 0076-objects-add-id-for-gost-kdf-key-exchange-for-CTR-OMA.patch
Patch0077: 0077-ssl-add-defines-for-GOST-CTR-OMAC-ciphersuites.patch
Patch0078: 0078-ssl-add-support-for-GOST-KDF-key-exchange.patch
Patch0079: 0079-ssl-support-selecting-CMAC-for-CTR-OMAC-ciphersuites.patch
Patch0080: 0080-ssl-select-ACPKM-session-size-for-CTR-OMAC-ciphersui.patch
Patch0081: 0081-ssl-fix-Finished-message-length-for-CTR-OMAC-ciphers.patch
Patch0082: 0082-ssl-fix-CMAC-support.patch
Patch0083: 0083-ssl-merge-read-and-write-sequence-secrets-into-commo.patch
Patch0084: 0084-ssl-drop-mac_flags-field.patch
Patch0085: 0085-ssl-support-IV-increments-for-GOST-CTR-OMAC-ciphersu.patch
Patch0086: 0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch
Patch0087: 0087-ssl-add-support-for-TLSTREE-rekeying.patch
# https://www.opennet.ru/opennews/art.shtml?num=54233
# https://github.com/libressl-portable/openbsd/commit/f22d7684aed13a9ae9ea6554b7a3e52fdfa4f193
# From LibreSSL 3.2.3
Patch0088: 0088-CVE-2020-1971.patch
# https://www.opennet.ru/opennews/art.shtml?num=55683
# https://github.com/libressl-portable/openbsd/commit/89d74f9b9c8c0b042e81aecb6c286253a51659d8
# From LibreSSL 3.2.6
Patch0089: 0089-CVE-2021-3712.patch

# TODO:
# https://www.opennet.ru/opennews/art.shtml?num=54774
# https://github.com/libressl-portable/openbsd/commit/5f00b800749f246861e892a17d9012bd25fc06ba (LibreSSL 3.2.5)
# Code is different in our version, investigation if backport is required is required.

# Patches for portable, from lumag@
# ( for i in *PORTABLE*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $2}'): $i ; done ) | sed -e 's,^Patch0,Patch2,g' | sort -h
# These patches for portable tree extend patches above for openbsd tree
# and have the same numbers
Patch2030: PORTABLE-0030-modes-add-functions-implementing-common-code-for-64-.patch
Patch2033: PORTABLE-0033-gost-add-support-for-magma-cipher.patch
Patch2034: PORTABLE-0034-gost-add-support-for-kuznyechik-cipher.patch
Patch2041: PORTABLE-0041-kdftree-add-functions-implementing-KDF_TREE-function.patch
Patch2042: PORTABLE-0042-gost-add-support-for-new-GOST-key-transport-data-for.patch
Patch2043: PORTABLE-0043-modes-add-support-for-128-bit-MGM-mode.patch
Patch2044: PORTABLE-0044-modes-add-support-for-64-bit-MGM-mode.patch
Patch2086: PORTABLE-0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch
Patch2100: PORTABLE-0100-fixup-build.patch
# If both openssl and libressl libraries are loaded into one runtime,
# versioning their symbols will or may allow them to coexist
Patch2200: PORTABLE-2200-SUSE-extra-symver.patch

# From https://www.mitchr.me/SS/exampleCode/openssl.html
Source20:		test.c
Source22:		test2.c
# From import/openssl, originates from Fedora
Source25:		test5.c
# From Linux kernel 5.3.15, scripts/sign-file.c
Source29:		test9.c
# To get %%_openssldir and for %%check
BuildRequires:	openssl-devel
BuildRequires:	pkgconfig(zlib)
#BuildRequires(check)
BuildRequires:	gostsum
# readelf <...> | <...>
BuildRequires:	binutils grep gawk
BuildRequires:	chrpath
# This LibreSSL uses /etc/pki/tls from system OpenSSL
# but most functions will work without its files
Recommends:	openssl

%description
LibreSSL utils and libs coexisting with OpenSSL.
GOST is supported out of the box.

%files
%doc ChangeLog COPYING
# %%_bindir here is /opt/libressl/bin
# %%_obindir is /usr/bin
# %%_mandir is /opt/libressl/share/man
# %%_omandir is /usr/share/man
%{_obindir}/libressl
%config(noreplace) %{_openssldir}/libressl.cnf
%config(noreplace) %{_openssldir}/x509v3.cnf
%{_omandir}/*/*
%exclude %{_omandir}/man3/*
%exclude %{_omandir}/*/nc.*
%exclude %{_omandir}/*/netcat.*
%exclude %{_omandir}/*/ocspcheck.*
#-------------------------------------------------------------------------------------

%package -n %{libcrypto_pkg}
Summary:	libcrypto library from LibreSSL
Group:		System/Libraries

%description -n %{libcrypto_pkg}
libcrypto library from LibreSSL

%files -n %{libcrypto_pkg}
%{_olibdir}/libcrypto.so.%{libcrypto_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libssl_pkg}
Summary:	libssl library from LibreSSL
Group:		System/Libraries

%description -n %{libssl_pkg}
libssl library from LibreSSL

%files -n %{libssl_pkg}
%{_olibdir}/libssl.so.%{libssl_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libtls_pkg}
Summary:	libtls library from LibreSSL
Group:		System/Libraries

%description -n %{libtls_pkg}
libtls library from LibreSSL

%files -n %{libtls_pkg}
%{_olibdir}/libtls.so.%{libtls_sover}*
#-------------------------------------------------------------------------------------

%package devel
Summary:		LibreSSL devel package
Group:			Development/C
Requires:		%{name} = %{EVRD}
# symlinks /opt/libressl/lib/*.so.* -> /usr/lib(64)/*.so.*
Requires:		%{libcrypto_pkg} = %{EVRD}
Requires:		%{libtls_pkg} = %{EVRD}
Requires:		%{libssl_pkg} = %{EVRD}
# Add provides to pull this package by common devel names
Provides:		%{mklibname crypto_libressl -d} = %{EVRD}
Provides:		%{mklibname tls_libressl -d} = %{EVRD}
Provides:		%{mklibname ssl_libressl -d} = %{EVRD}
# Automatic provides like 'devel(libcrypto(64bit))' are blocked by
# filters to prevent conflicts with OpenSSL
# devel(libfoo) are RPM_VENDOR_MANDRIVA-specific in RPM 5
# TODO: probably no real need in emulating devel(libfoo)
%if 0%{?mdvver}
%if "%{?_lib}" == "lib64"
%define b64 (64bit)
%else
%define b64 %{nil}
%endif
Provides:		devel(libressl-libtls%{b64})
Provides:		devel(libressl-libcrypto%{b64})
Provides:		devel(libressl-libssl%{b64})
%endif

%description devel
LibreSSL devel package. Devel libraries are in %{_libdir},
runtime librararies are in %{_olibdir},
pkg-config sets -I%{_libdir} in CFLAGS.

%files devel
%doc ChangeLog COPYING
%{_libdir}/*.so
# symlinks to %%{_olibdir}/*.so.*, only for devel package
%{_libdir}/*.so.*
%{_olibdir}/pkgconfig/*.pc
%{_includedir}
%{_mandir}/*/*
%{_omandir}/man3/*
%{_rpmmacrodir}/*libressl*
#-------------------------------------------------------------------------------------

%package -n ocspcheck
Summary:		Utility to validate certificates
Group:			System/Base

%description -n ocspcheck
Utility to validate a certificate against its OCSP responder and
save the reply for stapling

%files -n ocspcheck
%doc ChangeLog COPYING
%{_obindir}/ocspcheck
%{_omandir}/man*/ocspcheck.*
#-------------------------------------------------------------------------------------

%package -n netcat-openbsd
Summary:		Reads and writes data across network connections using TCP or UDP
Group:			System/Base
Conflicts:		netcat < 1.0
Conflicts:		netcat-traditional
Conflicts:		netcat-gnu
# netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced
#Obsoletes:		netcat-openbsd < 1.89.1
Provides:		netcat-tls = %{EVRD}
Provides:		netcat-libressl = %{EVRD}
Provides:		nc = %{EVRD}
# Provide "netcat" to satisfy deps of packages which require _any_
# implementation of netcat.
# But make this netcat the default one, so,
# while other packages provide "netcat = 1.0",
# provide a higher version here to make this package
# the default candidate to be installed as "netcat".
%if %{mdvver} > 201610
Provides:		netcat = %{EVRD}
# other netcats were removed due to their upstreams being dead
Obsoletes:		netcat-gnu < 0.7.2
Obsoletes:		netcat-traditional < 111
%else
# keep old default in rosa2016.1
Provides:		netcat = 1.0
%endif

%description -n netcat-openbsd
The nc package contains Netcat (the program is actually nc), a simple
utility for reading and writing data across network connections, using
the TCP or UDP protocols. Netcat is intended to be a reliable back-end
tool which can be used directly or easily driven by other programs and
scripts.  Netcat is also a feature-rich network debugging and
exploration tool, since it can create many different connections and
has many built-in capabilities.

You may want to install the netcat package if you are administering a
network and you'd like to use its debugging and network exploration
capabilities.

%files -n netcat-openbsd
%doc ChangeLog COPYING
%{_obindir}/nc
%{_obindir}/netcat
%{_omandir}/man*/nc.*
%{_omandir}/man*/netcat.*
#-------------------------------------------------------------------------------------

%prep
%setup -q -n portable-%{commit_portable} -a1
# Emulating creation of release tarball...
mv openbsd-%{commit_openbsd} openbsd
( cd openbsd
# First apply patches and then run a script which will copy files etc.
for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep -v '/PORTABLE\-' | sort -h); do
	echo "Applying openbsd patch $i"
	patch -p1 < "$i"
done
)
sed -i -e 's,git ,true ,g' update.sh
sed -i -e 's,./update.sh,sh -x ./update.sh,g' autogen.sh
sh -x ./autogen.sh | tee autogen0.log
# Protection against incorrect updates, e.g. by updates_tracker
grep -q "^LibreSSL version %{version}$" autogen0.log
rm -f autogen0.log

# Now apply patches on top of portable edition after all files have been generated
for i in $(echo "%patches" | sed -e 's,[[:space:]],\n,g' | grep '/PORTABLE\-' | sort -h); do
	echo "Applying portable patch $i"
	patch -p1 < "$i"
done

# Rerun after patching
sh -x update.sh

%build
%config_update
%setup_compile_flags
%serverbuild
# Use the same %%_openssl dir with OpenSSL, but separate the config
# (note that we patch libressl, X509_CONF_FILE is not upstream)
export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'"
#autoreconf -if #Source21
# static libs are required for tests target in Makefile
%configure \
	--enable-nc \
	--enable-static \
	--with-openssldir=%{_openssldir}
%make_build

%install
set +f # explicitly enable shell globbing

%make_install

# Some ideas about mans are from ALT Linux spec
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1
mkdir -p %{buildroot}%{_mandir}/man8/
install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8
for i in $(seq 1 8)
do
  man_dir="%{buildroot}%{_mandir}/man${i}"
  if [ ! -d "$man_dir" ]; then continue; fi
  ( cd "$man_dir"
    grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || :
    if find . -name 'libressl_*' | grep -q '.' ; then
      echo 'Rewrite spec because upstream libressl_* manpages appeared!'
      exit 1
    fi
    # Make all man pages with potentially the same names as in OpenSSL
    # be avaialble in standard man directories, but prevent conflicts with OpenSSL
    for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do
      openssl_LibreSSL_manpage="libressl_${openssl_manpage}"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
    for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do
      openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
  )
done
mkdir -p %{buildroot}%{_omandir}
cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/
# We have put libressl_ prefixed mans to system man directory,
# now delete them from /opt/libressl/share/man to leave
# mans with original names in /opt/libressl/share/man
# Mans with original names will be included to devel package only
rm -fv %{buildroot}%{_mandir}/*/libressl_*
rm -fv %{buildroot}%{_omandir}/*/openssl.*
( cd %{buildroot}%{_omandir}/man3 ; rm -fv $(ls -1v | grep -v '^libressl_') )
# Fully delete other mans from /opt
rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}*
# Manually compress man pages because we use both
# /usr/share/man and /opt/libressl/share/man,
# /usr/lib/rpm/brp-compress will not compress both of them
mkdir tmp
( cd tmp
  sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \
    %{_usrlibrpm}/brp-compress > ./brp-compress.sh
  chmod +x ./brp-compress.sh
  COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh
)

mkdir -p %{buildroot}%{_obindir}
mv -v %{buildroot}%{_bindir}/{nc,ocspcheck,openssl} %{buildroot}%{_obindir}/
mv -v %{buildroot}%{_obindir}/openssl %{buildroot}%{_obindir}/libressl
( cd %{buildroot}%{_obindir} ; ln -s nc netcat )
( cd %{buildroot}%{_includedir} ; ln -s openssl libressl )
# Remove static libs
( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a )

mkdir -p %{buildroot}/%{_olibdir}/pkgconfig
mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig
for i in share %{_lib}
do
  pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig"
  if [ ! -d "$pkgconfig_dir" ]; then continue; fi
  ( cd "$pkgconfig_dir"
    for f in *.pc
    do
      if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then
        echo "Name in $f is not prefixed with LibreSSL-"
        exit 1
      fi
      # Restore ability to work with custom prefix
      # It is lost due to --exec_prefix=XXX in %%configure
      sed -i -r \
        -e 's,^exec_prefix=.+,exec_prefix=${prefix},' \
        -e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \
        -e 's,^includedir=.+,includedir=${prefix}/include,' \
        "$f"
      mv -v "$f" "libressl-${f}"
      # Requires: libxx -> Requires: libressl-libxx
      sed -i \
        -e 's/libcrypto/libressl-libcrypto/g' \
        -e 's/libtls/libressl-liblts/g' \
        -e 's/libssl/libressl-libssl/g' \
        -e 's/libressl-libressl-/libressl-/g' \
        "libressl-${f}"
      if [ -f libressl-openssl.pc ]; then
        mv -v libressl-openssl.pc libressl.pc
      fi
    done
  )
done

mv -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/
( cd %{buildroot}/%{_libdir}/
  for i in %{buildroot}/%{_olibdir}/{libcrypto,libtls,libssl}.so.*
  do
    filename="$(basename "$i")"
    # /opt/libressl/lib
    # /usr/lib64/
    # Relative symlink is required to use *.so in tests...
    ln -s ../../../"%{_olibdir}/${filename}" "$filename"
  done
)
if [ "$(find %{buildroot}/%{_libdir}/ -iname '*.so.*' -type f | wc -l)" -gt 0 ]; then
  echo "Some shared libraries were not relocated!"
  exit 1
fi
chrpath --delete %{buildroot}/%{_olibdir}/*.so.*
chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck,libressl}

# Stuff from system OpenSSL will be used
rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem}
mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf

# Having sovers as macros may be useful to check that binaries are linked against LibreSSL
cat << EOF > macros.file
%%libressl_version %{version}
%%libressl_libcrypto_sover %{libcrypto_sover}
%%libressl_libssl_sover %{libssl_sover}
%%libressl_libtls_sover %{libtls_sover}
%%libressl_prefix /opt/libressl
EOF
%install_macro libressl macros.file

%check
_pcf(){
  unset oflags nflags
  oflags="$(eval $@)"
  nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')"
}
libressl="%{buildroot}/%{_obindir}/libressl"
# These tests caught a lot of mistakes during first builds
export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig
export LD_LIBRARY_PATH=%{buildroot}/%{_olibdir}
# (test 1) Check that openssldir is correct
$libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$'
# (test 2) Check that path to config file is correct
# and also check that pkg-config libressl points to libressl, not openssl
_pcf pkg-config --libs --cflags libressl
%__cc -o test2 %{SOURCE22} $nflags
ldd ./test2
[ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1
# Check that our pkgconfig hacks somehow work
# (test 3) There is no /opt/libressl/ at build time
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test3 %{SOURCE20} $nflags
ldd ./test3
ldd ./test3 | grep 'libcrypto\.so\.%{libcrypto_sover}'
./test3 | grep Hello
# (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly
# (build with libcrypto from OpenSSL)
_pcf pkg-config --libs --cflags libcrypto
%__cc -o test4 %{SOURCE20} $nflags
ldd ./test4
ldd ./test4 | grep -v '/libcrypto\.so\.%{libcrypto_sover}'
./test4 | grep Hello
# (test 5) Check that flags from all *.pc are valid
# libtls is overlinking here, but check linking
_pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto
%__cc -o test5 %{SOURCE25} $nflags -lpthread -lz -ldl
ldd ./test5
ldd ./test5 | grep '/libcrypto\.so\.%{libcrypto_sover}'
ldd ./test5 | grep '/libssl\.so\.%{libssl_sover}'
ldd ./test5 | grep '/libtls\.so\.%{libtls_sover}'
./test5 --threads 2
# (test 6) Check that gost12sum (from OpenSSL gost-engine) and LibreSSL give the same result
# This also simply checks that checksums by GOST do work
echo test6 > ./test6
# gost12sum is Streebog-256, gostsum -l is Streebog-512
_gost12sum="$(gost12sum ./test6 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog256 ./test6 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
# (test 7) The same for Streebog-512
echo test7 > ./test7
_gost12sum="$(gost12sum -l ./test7 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog512 ./test7 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
unset _gost12sum _libressl
# (test 8) Check that LibreSSL and gostsum use different byte order in GOST R 34.11-94 hashes
# https://ru.wikipedia.org/wiki/ГОСТ_Р_34.11-94#Формат_вывода
# ...and that  their hash tables do not differ
# https://github.com/gost-engine/engine/issues/189
# If byte orders change, package maintainers must become aware of this via this test failing
# Running the same hashsumming for multiple times checks that results do not randomize
echo test8 > ./test8
_gs_beg="$(gostsum ./test8 | awk '{print $1}' | head -c2)"
_gs_end="$(gostsum ./test8 | awk '{print $1}' | tail -c3)" #-c3 because of EOL
_ls_beg="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | head -c2)"
_ls_end="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | tail -c3)"
_gs_length="$(gostsum ./test8 | awk '{print $1}' | wc -c)"
_ls_length="$($libressl dgst -md_gost94 ./test8 | awk '{print $NF}' | wc -c)"
[ "$_gs_beg" = "$_ls_end" ] && \
  [ "$_gs_end" = "$_ls_beg" ] && \
  [ "$_gs_length" = "$_ls_length" ] || exit 1
unset _gs_beg _gs_end _ls_beg _ls_end _gs_length _ls_length
# (test 9) Test ability to sign using program that requires OPENSSL_NO_CMS to de undefined
# https://bugzilla.kernel.org/show_bug.cgi?id=202159
# and ability to generate GOST R 34.10-12 keys
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test9 %{SOURCE29} $nflags
export OPENSSL_CONF=%{buildroot}%{_openssldir}/libressl.cnf
$libressl ecparam -genkey -name id-tc26-gost-3410-12-512-paramSetA -out priv.key -outform PEM
$libressl req -batch -new -x509 -nodes -key priv.key -out pem1.pem \
	 -subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root"
# Also possible to gen a new key and a certificate in one command:
# libressl req <...> -newkey ec -pkeyopt ec_paramgen_curve:id-tc26-gost-3410-12-512-paramSetA
# Signature Algorithm: ecdsa-with-SHA256
$libressl x509 -in pem1.pem -text -noout | grep -E 'Signature Algorithm:.*ecdsa-with-SHA256'
$libressl req -new -nodes -utf8 -batch -x509 -newkey gost2001 \
  -pkeyopt dgst:streebog512 -pkeyopt paramset:A -streebog512 \
  -days 109500 \
  -subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root" \
  -outform PEM -out pem2.pem -keyout pem2.pem
$libressl x509 -in pem2.pem -text -noout
$libressl x509 -in pem2.pem -text -noout | grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
$libressl x509 -in pem2.pem -text -noout | grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
$libressl x509 -in pem2.pem -text -noout | grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
echo 123 > test9_file1
echo 123 > test9_file2
# Known to fail with: "CMS routines:func(4095):not supported for this key type"
./test9 streebog512 priv.key pem1.pem test9_file1 || :
$libressl dgst -streebog512 -sign pem2.pem test9_file2 > test9_file2.sig
./test9 -s test9_file2.sig streebog512 pem2.pem test9_file2
strings test9_file2 | tail -n 1 | grep -q '~Module signature appended~'