libressl/libressl.spec

# Initial purpose of packaging LibreSSL was the need to have a handy
# tool to work with GOST keys easily (LibreSSL has GOSTs out of the box).
# netcat-openbsd is now also packaged here.
# LibreSSL is a fork of OpenSSL and has same libraries, binaries
# and fucntions names, that is why it cannot coexist with OpenSSL
# easily and is packages to a separate prefix here.
# Remember some directories before changing %%_prefix, o - original
%define _oprefix /usr
%define _obindir %{_oprefix}/bin
%define _omandir %{_oprefix}/share/man
%define _olibdir %{_oprefix}/%{_lib}
%define _prefix /opt/libressl
# No need to have /opt/libressl/lib64, use /opt/libressl/lib
%define _libdir %{_prefix}/lib
# Keep package docs in normal locations
%define _defaultdocdir %{_oprefix}/share/doc
# Disable /usr/share/spec-helper/relink_symlinks
# to make sure that symlinks are not broken
%define dont_relink 1
# If man pages compression is not set up, skip it
%{?!_compress:%define _compress /bin/true}
%{?!_extension:%define _extension .xz}

# Fallback to the old external dependency generator
# http://lists.rosalab.ru/pipermail/rosa-devel/2013-April/004702.html
# http://lists.rosalab.ru/pipermail/rosa-devel/2013-April/004703.html
# because there is no way to filter by filepath in the internal one
# TODO: avoid using external dep. gen.
%define _use_internal_dependency_generator 0
# Those libraries in /opt are not available without RPATH or ld.so.conf
%define _exclude_files_from_autoprov %{_libdir}
# We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not
# get odd provides and break the repository if forgot to rename something
#define __noautoprov '.*openssl.*|pkgconfig\\(lib.*'
%define _provides_exceptions '.*openssl.*|pkgconfig(lib.*'
# libressl-devel must not require devel(libxxx)
# because it has those devels inside himself
%define _requires_exceptions 'devel(lib.*'
# Ideas behind this dependency generation crap are the following:
# - libressl-devel must provide pkgconfig(libressl*)
# - libressl-devel must not provide pkgconfig(openssl),
#   pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl)
#   to prevent conflicts with OpenSSL
# - libressl must not depend from separate library packages with
#   libtls.so.*, libcrypto.so.*, libssl.so.*, instead it has
#   copies of those libraries in /opt/libressl/lib/ and has RPATH
# - packages netcat-openbsd and ocspcheck are intended to be
#   installable without installing libressl package with a lot of
#   odd stuff; so libtls.so.*, libcrypto.so.* and libssl.so.* are
#   packaged into separate packages, RPATHs are removed and nc
#   and ocspcheck must depend from separate libs packages and will
#   use /usr/lib(64)/lib*.so.* instead of /opt/libressl/lib/*.so.*
# - there are no per-library devel packages, only one libressl-devel.
# // mikhailnov, 30.11.2019

%define libcrypto_sover 45
%define libssl_sover 47
%define libtls_sover 19
%define libssl_pkg %mklibname ssl_libressl %{libssl_sover}
%define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover}
%define libtls_pkg %mklibname tls_libressl %{libtls_sover}

Summary:		LibreSSL utils and libs coexisting with OpenSSL
Name:			libressl
Version:		3.0.2
Release:		1
# The code is distributed under ISC license except of original OpenSSL code
License:		ISC and BSD-like
Group:			System/Libraries
Url:			http://libressl.org
Source0:		http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz
# TODO: add printing config location to `openssl version`
Source1:		0001-Allow-custom-config-location.patch
Source10:		libressl.rpmlintrc
# If both openssl and libressl libraries are loaded into one runtime,
# versioning their symbols will or may allow them to coexist
# (patch from ALT Linux)
Patch2:			SUSE-extra-symver.patch
# From https://www.mitchr.me/SS/exampleCode/openssl.html 
Source20:		test.c
Source22:		test2.c
# From import/openssl, originates from Fedora
Source25:		test5.c
# To get %%_openssldir and for %%check
BuildRequires:	openssl-devel
# readelf <...> | <...>
BuildRequires:	binutils grep gawk
BuildRequires:	chrpath
# This LibreSSL uses /etc/pki/tls from system OpenSSL
# but most functions will work without its files
Suggests:		openssl
# Prevent dependencies from lib*_libressl* subpackages for the main package
# because it may freely use /opt/libressl/lib/*.so.*
# but put "Autoreq: 1" in other subpackages which may be installed without
# libressl main package being installed and will use /usr/lib(64)/.*so.*
Autoreq: 0

%description
LibreSSL utils and libs coexisting with OpenSSL.
GOST is supported out of the box.

%files
%doc ChangeLog COPYING
# %%_bindir here is /opt/libressl/bin
# %%_obindir is /usr/bin
# %%_mandir is /opt/libressl/share/man
# %%_omandir is /usr/share/man
%{_bindir}/openssl
%{_bindir}/libressl
%{_obindir}/libressl
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_omandir}/*/*
%{_libdir}/*.so.*
%config(noreplace) %{_openssldir}/libressl.cnf
%config(noreplace) %{_openssldir}/x509v3.cnf
%exclude %{_omandir}/man3/*
%exclude %{_omandir}/*/nc.*
%exclude %{_omandir}/*/netcat.*
%exclude %{_omandir}/*/ocspcheck.*
%exclude %{_libdir}/*.so
#-------------------------------------------------------------------------------------

%package -n %{libcrypto_pkg}
Summary:	libcrypto library from LibreSSL
Autoreq: 1

%description -n %{libcrypto_pkg}
libcrypto library from LibreSSL

%files -n %{libcrypto_pkg}
%{_olibdir}/libcrypto.so.%{libcrypto_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libssl_pkg}
Summary:	libssl library from LibreSSL
Autoreq: 1

%description -n %{libssl_pkg}
libssl library from LibreSSL

%files -n %{libssl_pkg}
%{_olibdir}/libssl.so.%{libssl_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libtls_pkg}
Summary:	libtls library from LibreSSL
Autoreq: 1

%description -n %{libtls_pkg}
libtls library from LibreSSL

%files -n %{libtls_pkg}
%{_olibdir}/libtls.so.%{libtls_sover}*
#-------------------------------------------------------------------------------------

%package devel
Summary:		LibreSSL devel package
Requires:		%{name} = %{EVRD}
Autoreq: 1

%description devel
LibreSSL devel package. Devel libraries are in %{_libdir},
but the same runtime libraries exist in
%{_libdir}
and
%{_olibdir}.
After linking, binaries will load libs from %{_olibdir}.
When using pkg-config, RPATH is set to %{_libdir},
remove RPATH/RUNPATH manually if needed.

%files devel
%doc ChangeLog COPYING
%{_libdir}/*.so
%{_olibdir}/pkgconfig/*.pc
%{_includedir}
%{_mandir}/man3/*
%{_omandir}/man3/*
#-------------------------------------------------------------------------------------

%package -n ocspcheck
Summary:		Utility to validate certificates
Autoreq: 1

%description -n ocspcheck
Utility to validate a certificate against its OCSP responder and
save the reply for stapling

%files -n ocspcheck
%doc ChangeLog COPYING
%{_obindir}/ocspcheck
%{_omandir}/man*/ocspcheck.*
#-------------------------------------------------------------------------------------

%package -n netcat-openbsd
Summary:		Reads and writes data across network connections using TCP or UDP
Conflicts:		netcat < 1.0
Conflicts:		netcat-traditional
Conflicts:		netcat-gnu
# netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced
#Obsoletes:		netcat-openbsd < 1.89.1
Provides:		netcat-tls = %{EVRD}
Provides:		netcat-libressl = %{EVRD}
Provides:		nc = %{EVRD}
Autoreq: 1

%description -n netcat-openbsd
The nc package contains Netcat (the program is actually nc), a simple
utility for reading and writing data across network connections, using
the TCP or UDP protocols. Netcat is intended to be a reliable back-end
tool which can be used directly or easily driven by other programs and
scripts.  Netcat is also a feature-rich network debugging and
exploration tool, since it can create many different connections and
has many built-in capabilities.

You may want to install the netcat package if you are administering a
network and you'd like to use its debugging and network exploration
capabilities.

%files -n netcat-openbsd
%doc ChangeLog COPYING
%{_obindir}/nc
%{_obindir}/netcat
%{_omandir}/man*/nc.*
%{_omandir}/man*/netcat.*
#-------------------------------------------------------------------------------------

%prep
%setup -q
%patch2 -p2
# Patch is against gits https://github.com/libressl-portable/
# Release tarball is packaged in a tricky way
cat %{SOURCE1} | sed \
	-e 's,src/lib/libcrypto/,crypto/,g' \
	-e 's,src/usr.bin/openssl/,apps/openssl/,g' \
	> 1.patch
patch -p1 < 1.patch

%build
%setup_compile_flags
%serverbuild
# Use the same %%_openssl dir with OpenSSL, but separate the config
# (note that we patch libressl, X509_CONF_FILE is not upstream)
export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'"
# TODO: why by default without this runpath is not set on libcrypto.so*,
# but is set on libtls.so* and libssl.so*?
export LDFLAGS="$LDFLAGS -Wl,-rpath=%{_libdir}"
autoreconf -if #patch2
# static libs are required for tests target in Makefile
%configure2_5x \
	--enable-nc \
	--enable-static \
	--with-openssldir=%{_openssldir}
%make

%install
set +f # explicitly enable shell globbing

%makeinstall_std

# Some ideas about mans are from ALT Linux spec
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1
mkdir -p %{buildroot}%{_mandir}/man8/
install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8
for i in $(seq 1 8)
do
  man_dir="%{buildroot}%{_mandir}/man${i}"
  if [ ! -d "$man_dir" ]; then continue; fi
  ( cd "$man_dir"
    grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || :
    if find . -name 'libressl_*' | grep -q '.' ; then
      echo 'Rewrite spec because upstream libressl_* manpages appeared!'
      exit 1
    fi
    # Make all man pages with potentially the same names as in OpenSSL
    # be avaialble in standard man directories, but prevent conflicts with OpenSSL
    for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do
      openssl_LibreSSL_manpage="libressl_${openssl_manpage}"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
    for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do
      openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
  )
done
mkdir -p %{buildroot}%{_omandir}
cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/
# We have put libressl_ prefixed mans to system man directory,
# now delete them from /opt/libressl/share/man to leave
# mans with original names in /opt/libressl/share/man
rm -fv %{buildroot}%{_mandir}/*/libressl_*
rm -fv %{buildroot}%{_omandir}/*/openssl.*
# Fully delete other mans from /opt
rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}*
# Manually compress man pages because we use both
# /usr/share/man and /opt/libressl/share/man,
# /usr/lib/rpm/brp-compress will not compress both of them
mkdir tmp
pushd tmp
  sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \
    %{_usrlibrpm}/brp-compress > ./brp-compress.sh
  chmod +x ./brp-compress.sh
  COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh
popd

mkdir -p %{buildroot}%{_obindir}
mv -v %{buildroot}%{_bindir}/{nc,ocspcheck} %{buildroot}%{_obindir}/
( cd %{buildroot}%{_bindir} ; ln -s openssl libressl )
( cd %{buildroot}%{_obindir} ; ln -s %{_bindir}/openssl libressl )
( cd %{buildroot}%{_obindir} ; ln -s nc netcat )
( cd %{buildroot}%{_includedir} ; ln -s openssl libressl )
# Remove static libs
( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a )

# Build scripts set RUNPATH, it is needed because /usr/bin/* are linked with
# /opt/libressl/lib/*.so.*, make sure that RUNPATH exists
for i in $(find %{buildroot}%{_bindir} %{buildroot}%{_libdir} -type f -executable) ; do
  rpath="$(readelf -a "$i" | grep '(RUNPATH)' | head -n 1 | awk '{print $NF}' | tr -d '[]')"
  if [ "$rpath" != '%{_libdir}' ]; then
    echo "Empty or incorrect RPATH on ${i}!"
    exit 1
  fi
done

mkdir -p %{buildroot}/%{_olibdir}/pkgconfig
mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig
for i in share %{_lib}
do
  pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig"
  if [ ! -d "$pkgconfig_dir" ]; then continue; fi
  ( cd "$pkgconfig_dir"
    for f in *.pc
    do
      if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then
        echo "Name in $f is not prefixed with LibreSSL-"
        exit 1
      fi
      # Restore ability to work with custom prefix
      # It is lost due to --exec_prefix=XXX in %%configure2_5x
      sed -i -r \
        -e 's,^exec_prefix=.+,exec_prefix=${prefix},' \
        -e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \
        -e 's,^includedir=.+,includedir=${prefix}/include,' \
        "$f"
      # TODO: is rpath in *.pc really needed?
      if ! grep '^Libs:' "$f"
        then
          echo 'Libs: -Wl,-rpath=${libdir}' >> "$f"
        else
          # https://unix.stackexchange.com/a/328656
          sed -i -e '/^Libs:/s/$/ -Wl,-rpath=${libdir}/' "$f"
          grep '^Libs:' "$f" | grep -q rpath || exit 1
      fi
      mv -v "$f" "libressl-${f}"
      # Requires: libxx -> Requires: libressl-libxx
      sed -i \
        -e 's/libcrypto/libressl-libcrypto/g' \
        -e 's/libtls/libressl-liblts/g' \
        -e 's/libssl/libressl-libssl/g' \
        -e 's/libressl-libressl-/libressl-/g' \
        "libressl-${f}"
      if [ -f libressl-openssl.pc ]; then
        mv -v libressl-openssl.pc libressl.pc
      fi
    done
  )
done

cp -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/
chrpath --delete %{buildroot}/%{_olibdir}/*.so.*
chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck}

# Stuff from system OpenSSL will be used
rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem}
mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf

%check
_pcf(){
  unset oflags nflags
  oflags="$(eval $@)"
  nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')"
}
rflags="-Wl,-rpath=%{buildroot}%{_libdir},-rpath=%{buildroot}%{_olibdir}"
# These tests caught a lot of mistakes during first builds
export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig
# (test 1) Check that openssldir is correct
export LD_LIBRARY_PATH=%{buildroot}/%{_libdir}
%{buildroot}/%{_bindir}/libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$'
unset LD_LIBRARY_PATH
# (test 2) Check that path to config file is correct
# and also check that pkg-config libressl points to libressl, not openssl
_pcf pkg-config --libs --cflags libressl
%__cc -o test2 %{SOURCE22} $nflags $rflags
ldd ./test2
[ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1
# Check that our pkgconfig hacks somehow work
# (test 3) There is no /opt/libressl/ at build time
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test3 %{SOURCE20} $nflags $rflags
ldd ./test3
ldd ./test3 | grep -E '%{_prefix}.*/libcrypto\.so\.%{libcrypto_sover}'
./test3 | grep Hello
# (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly
# (build with libcrypto from OpenSSL)
_pcf pkg-config --libs --cflags libcrypto
%__cc -o test4 %{SOURCE20} $nflags $rflags
ldd ./test4
ldd ./test4 | grep -v 'libcrypto\.so\.%{libcrypto_sover}'
ldd ./test4 | grep -v '%{_prefix}'
./test4 | grep Hello
# (test 5) Check that flags from all *.pc are valid
# libtls is overlinking here, but check linking
_pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto
%__сс -o test5 %{SOURCE25} $nflags $rflags -lpthread -lz -ldl
ldd ./test5
ldd ./test3 | grep -E '%{_prefix}.*/libcrypto\.so\.%{libcrypto_sover}'
ldd ./test3 | grep -E '%{_prefix}.*/libssl\.so\.%{libssl_sover}'
ldd ./test3 | grep -E '%{_prefix}.*/libtls\.so\.%{libtls_sover}'
./test5 --threads 2