libressl/libressl.spec

# Initial purpose of packaging LibreSSL was the need to have a handy
# tool to work with GOST keys easily (LibreSSL has GOSTs out of the box).
# netcat-openbsd is now also packaged here.
# LibreSSL is a fork of OpenSSL and has same libraries, binaries
# and fucntions names, that is why it cannot coexist with OpenSSL
# easily and is packages to a separate prefix here.
# Remember some directories before changing %%_prefix, o - original
%define _oprefix /usr
%define _obindir %{_oprefix}/bin
%define _omandir %{_oprefix}/share/man
%define _olibdir %{_oprefix}/%{_lib}
%define _prefix /opt/libressl
# No need to have /opt/libressl/lib64, use /opt/libressl/lib
%define _libdir %{_prefix}/lib
# Keep package docs in normal locations
%define _defaultdocdir %{_oprefix}/share/doc
# Disable /usr/share/spec-helper/relink_symlinks
# to make sure that symlinks are not broken
%define dont_relink 1
# Manually control RPATHs
%define dont_remove_rpath 1
# If man pages compression is not set up, skip it
%{?!_compress:%define _compress /bin/true}
%{?!_extension:%define _extension .xz}

# Ideas behind this package are the following:
# - libressl-devel must provide pkgconfig(libressl*)
# - libressl-devel must not provide pkgconfig(openssl),
#   pkgconfig(libtls), pkgconfig(libcrypto), pkgconfig(libssl)
#   to prevent conflicts with OpenSSL
# - packages netcat-openbsd, ocspcheck, libressl are intended to
#   comply with FHS, so libtls.so.*, libcrypto.so.* and libssl.so.*
#   are packaged into separate packages, RPATHs are removed and
#   /usr/bin/* must depend from separate libs packages and will
#   use /usr/lib(64)/lib*.so.*
# - there are no per-library devel packages, only one libressl-devel
#   with symlinks /opt/libressl/lib/*.so -> /usr/lib(64)/*.so.*
# - not FHS-compilant /opt is used only for devel package to allow
#   coinstallability with OpenSSL devel packages
# // mikhailnov, 03.12.2019
# We rename e.g. libtls.pc to libressl-tls.pc, make sure that we do not
# get odd provides and break the repository if forgot to rename something.
# Filter out provides like 'devel(libcrypto(64bit))' (they are in OpenSSL).
%define __noautoprov \
  '.*openssl.*|pkgconfig\\(lib(tls|crypro|ssl)\\)|devel\\(lib(tls|crypto|ssl).*\\).*'

%define libcrypto_sover 46
%define libssl_sover 48
%define libtls_sover 20
%define libssl_pkg %mklibname ssl_libressl %{libssl_sover}
%define libcrypto_pkg %mklibname crypto_libressl %{libcrypto_sover}
%define libtls_pkg %mklibname tls_libressl %{libtls_sover}

%define base_version 3.0.2
%define git_date 20191207
Summary:		LibreSSL utils and libs coexisting with OpenSSL
Name:			libressl
Version:		%{base_version}.git%{git_date}
Release:		12
# The code is distributed under ISC license except of original OpenSSL code
License:		ISC and BSD-like
Group:			System/Base
Url:			http://libressl.org
# Using a git snapshot, because CMS (Cryptographic Message Syntax)
# was enabled later than v3.0.2, includes a lot of commits and is needed.
# TODO: switch to release tarballs in next versions.
# https://bugzilla.kernel.org/show_bug.cgi?id=202159
# To make a tarball from git:
# git clone https://github.com/libressl-portable/portable.git
# ./autogen.sh && ./dist.sh
# Built from:
# - libressl-portable/portable commit 5542c18
# - libressl-portable/openbsd commit af32f91
#Source0:		http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-%{version}.tar.gz
Source0:		libressl-%{version}.tar.gz
# TODO: add printing config location to `openssl version`
Source1:		0001-Allow-custom-config-location.patch
Source10:		libressl.rpmlintrc
# If both openssl and libressl libraries are loaded into one runtime,
# versioning their symbols will or may allow them to coexist
Patch2:			SUSE-extra-symver.patch
# From https://www.mitchr.me/SS/exampleCode/openssl.html 
Source20:		test.c
Source22:		test2.c
# From import/openssl, originates from Fedora
Source25:		test5.c
# From Linux kernel 5.3.15, scripts/sign-file.c
Source29:		test9.c
# To get %%_openssldir and for %%check
BuildRequires:	openssl-devel
BuildRequires(check):	gostsum
# readelf <...> | <...>
BuildRequires:	binutils grep gawk
BuildRequires:	chrpath
# This LibreSSL uses /etc/pki/tls from system OpenSSL
# but most functions will work without its files
Suggests:		openssl
Autoreq: 1

%description
LibreSSL utils and libs coexisting with OpenSSL.
GOST is supported out of the box.

%files
%doc ChangeLog COPYING
# %%_bindir here is /opt/libressl/bin
# %%_obindir is /usr/bin
# %%_mandir is /opt/libressl/share/man
# %%_omandir is /usr/share/man
%{_obindir}/libressl
%config(noreplace) %{_openssldir}/libressl.cnf
%config(noreplace) %{_openssldir}/x509v3.cnf
%{_omandir}/*/*
%exclude %{_omandir}/man3/*
%exclude %{_omandir}/*/nc.*
%exclude %{_omandir}/*/netcat.*
%exclude %{_omandir}/*/ocspcheck.*
#-------------------------------------------------------------------------------------

%package -n %{libcrypto_pkg}
Summary:	libcrypto library from LibreSSL
Group:		System/Libraries
Autoreq: 1

%description -n %{libcrypto_pkg}
libcrypto library from LibreSSL

%files -n %{libcrypto_pkg}
%{_olibdir}/libcrypto.so.%{libcrypto_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libssl_pkg}
Summary:	libssl library from LibreSSL
Group:		System/Libraries
Autoreq: 1

%description -n %{libssl_pkg}
libssl library from LibreSSL

%files -n %{libssl_pkg}
%{_olibdir}/libssl.so.%{libssl_sover}*
#-------------------------------------------------------------------------------------

%package -n %{libtls_pkg}
Summary:	libtls library from LibreSSL
Group:		System/Libraries
Autoreq: 1

%description -n %{libtls_pkg}
libtls library from LibreSSL

%files -n %{libtls_pkg}
%{_olibdir}/libtls.so.%{libtls_sover}*
#-------------------------------------------------------------------------------------

%package devel
Summary:		LibreSSL devel package
Group:			Development/C
Requires:		%{name} = %{EVRD}
# symlinks /opt/libressl/lib/*.so.* -> /usr/lib(64)/*.so.*
Requires:		%{libcrypto_pkg} = %{EVRD}
Requires:		%{libtls_pkg} = %{EVRD}
Requires:		%{libssl_pkg} = %{EVRD}
# Add provides to pull this package by common devel names
Provides:		%{mklibname crypto_libressl -d} = %{EVRD}
Provides:		%{mklibname tls_libressl -d} = %{EVRD}
Provides:		%{mklibname ssl_libressl -d} = %{EVRD}
# Automatic provides like 'devel(libcrypto(64bit))' are blocked by
# filters to prevent conflicts with OpenSSL
# devel(libfoo) are RPM_VENDOR_MANDRIVA-specific in RPM 5
# TODO: probably no real need in emulating devel(libfoo)
%if 0%{?mdvver}
%if %{?_lib} == "lib64"
%define b64 (64bit)
%else
%define b64 %{nil}
%endif
Provides:		devel(libressl-libtls%{b64})
Provides:		devel(libressl-libcrypto%{b64})
Provides:		devel(libressl-libssl%{b64})
%endif
Autoreq: 1

%description devel
LibreSSL devel package. Devel libraries are in %{_libdir},
runtime librararies are in %{_olibdir},
pkg-config sets -I%{_libdir} in CFLAGS.

%files devel
%doc ChangeLog COPYING
%{_libdir}/*.so
# symlinks to %%{_olibdir}/*.so.*, only for devel package
%{_libdir}/*.so.*
%{_olibdir}/pkgconfig/*.pc
%{_includedir}
%{_mandir}/*/*
%{_omandir}/man3/*
#-------------------------------------------------------------------------------------

%package -n ocspcheck
Summary:		Utility to validate certificates
Group:			System/Base
Autoreq: 1

%description -n ocspcheck
Utility to validate a certificate against its OCSP responder and
save the reply for stapling

%files -n ocspcheck
%doc ChangeLog COPYING
%{_obindir}/ocspcheck
%{_omandir}/man*/ocspcheck.*
#-------------------------------------------------------------------------------------

%package -n netcat-openbsd
Summary:		Reads and writes data across network connections using TCP or UDP
Group:			System/Base
Conflicts:		netcat < 1.0
Conflicts:		netcat-traditional
Conflicts:		netcat-gnu
# netcat-openbsd 1.89 was imported from Mandriva in 2012 and now, in 2019, is replaced
#Obsoletes:		netcat-openbsd < 1.89.1
Provides:		netcat-tls = %{EVRD}
Provides:		netcat-libressl = %{EVRD}
Provides:		nc = %{EVRD}
# Provide "netcat" but of a lower version than the real netcat
# to allow other packages to depend from any variant of netcat
Provides:		netcat = 1.0
Autoreq: 1

%description -n netcat-openbsd
The nc package contains Netcat (the program is actually nc), a simple
utility for reading and writing data across network connections, using
the TCP or UDP protocols. Netcat is intended to be a reliable back-end
tool which can be used directly or easily driven by other programs and
scripts.  Netcat is also a feature-rich network debugging and
exploration tool, since it can create many different connections and
has many built-in capabilities.

You may want to install the netcat package if you are administering a
network and you'd like to use its debugging and network exploration
capabilities.

%files -n netcat-openbsd
%doc ChangeLog COPYING
%{_obindir}/nc
%{_obindir}/netcat
%{_omandir}/man*/nc.*
%{_omandir}/man*/netcat.*
#-------------------------------------------------------------------------------------

%prep
%setup -q -n %{name}-%{base_version}
%patch2 -p1
# Patch is against gits https://github.com/libressl-portable/
# Release tarball is packaged in a tricky way
cat %{SOURCE1} | sed \
	-e 's,src/lib/libcrypto/,crypto/,g' \
	-e 's,src/usr.bin/openssl/,apps/openssl/,g' \
	> 1.patch
patch -p1 < 1.patch

%build
%setup_compile_flags
%serverbuild
# Use the same %%_openssl dir with OpenSSL, but separate the config
# (note that we patch libressl, X509_CONF_FILE is not upstream)
export CFLAGS="$CFLAGS -DX509_CONF_FILE='\"%{_openssldir}/libressl.cnf\"'"
autoreconf -if #patch2
# static libs are required for tests target in Makefile
%configure2_5x \
	--enable-nc \
	--enable-static \
	--with-openssldir=%{_openssldir}
%make

%install
set +f # explicitly enable shell globbing

%makeinstall_std

# Some ideas about mans are from ALT Linux spec
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/nc.1
install -m 0644 apps/nc/nc.1 %{buildroot}%{_mandir}/man1/netcat.1
mkdir -p %{buildroot}%{_mandir}/man8/
install -m 0644 apps/ocspcheck/ocspcheck.8 %{buildroot}%{_mandir}/man8/ocspcheck.8
for i in $(seq 1 8)
do
  man_dir="%{buildroot}%{_mandir}/man${i}"
  if [ ! -d "$man_dir" ]; then continue; fi
  ( cd "$man_dir"
    grep -Irl '/etc/ssl' . | xargs sed -i 's,/etc/ssl,%{_openssldir},g' || :
    if find . -name 'libressl_*' | grep -q '.' ; then
      echo 'Rewrite spec because upstream libressl_* manpages appeared!'
      exit 1
    fi
    # Make all man pages with potentially the same names as in OpenSSL
    # be avaialble in standard man directories, but prevent conflicts with OpenSSL
    for openssl_manpage in $(ls -1v | grep -vE '^LIBRESSL_|^netcat|^nc|^ocspcheck|^openssl\.') ; do
      openssl_LibreSSL_manpage="libressl_${openssl_manpage}"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
    for openssl_manpage in $(ls -1v | grep '^openssl\.') ; do
      openssl_LibreSSL_manpage="$(echo "$openssl_manpage" | sed -e 's,openssl,libressl,g')"
      cp -v "$openssl_manpage" "$openssl_LibreSSL_manpage"
    done
  )
done
mkdir -p %{buildroot}%{_omandir}
cp -rv %{buildroot}%{_mandir}/* %{buildroot}%{_omandir}/
# We have put libressl_ prefixed mans to system man directory,
# now delete them from /opt/libressl/share/man to leave
# mans with original names in /opt/libressl/share/man
# Mans with original names will be included to devel package only
rm -fv %{buildroot}%{_mandir}/*/libressl_*
rm -fv %{buildroot}%{_omandir}/*/openssl.*
( cd %{buildroot}%{_omandir}/man3 ; rm -fv $(ls -1v | grep -v '^libressl_') )
# Fully delete other mans from /opt
rm -fv %{buildroot}%{_mandir}/*/{nc,netcat,ocspcheck}*
# Manually compress man pages because we use both
# /usr/share/man and /opt/libressl/share/man,
# /usr/lib/rpm/brp-compress will not compress both of them
mkdir tmp
( cd tmp
  sed -e 's,./usr/share/man/man*,%{buildroot}%{_mandir}/man* %{buildroot}%{_omandir}/man*,g' \
    %{_usrlibrpm}/brp-compress > ./brp-compress.sh
  chmod +x ./brp-compress.sh
  COMPRESS="%{_compress}" COMPRESS_EXT="%{_extension}" ./brp-compress.sh
)

mkdir -p %{buildroot}%{_obindir}
mv -v %{buildroot}%{_bindir}/{nc,ocspcheck,openssl} %{buildroot}%{_obindir}/
mv -v %{buildroot}%{_obindir}/openssl %{buildroot}%{_obindir}/libressl
( cd %{buildroot}%{_obindir} ; ln -s nc netcat )
( cd %{buildroot}%{_includedir} ; ln -s openssl libressl )
# Remove static libs
( cd %{buildroot}%{_libdir} ; rm -fv *.la *.a )

mkdir -p %{buildroot}/%{_olibdir}/pkgconfig
mv -v %{buildroot}/%{_libdir}/pkgconfig/*.pc %{buildroot}/%{_olibdir}/pkgconfig
for i in share %{_lib}
do
  pkgconfig_dir="%{buildroot}/%{_oprefix}/${i}/pkgconfig"
  if [ ! -d "$pkgconfig_dir" ]; then continue; fi
  ( cd "$pkgconfig_dir"
    for f in *.pc
    do
      if [ "$f" != 'openssl.pc' ] && ! grep '^Name:' "$f" | grep -qi 'libressl\-'; then
        echo "Name in $f is not prefixed with LibreSSL-"
        exit 1
      fi
      # Restore ability to work with custom prefix
      # It is lost due to --exec_prefix=XXX in %%configure2_5x
      sed -i -r \
        -e 's,^exec_prefix=.+,exec_prefix=${prefix},' \
        -e 's,^libdir=.+,libdir=${exec_prefix}/lib,' \
        -e 's,^includedir=.+,includedir=${prefix}/include,' \
        "$f"
      mv -v "$f" "libressl-${f}"
      # Requires: libxx -> Requires: libressl-libxx
      sed -i \
        -e 's/libcrypto/libressl-libcrypto/g' \
        -e 's/libtls/libressl-liblts/g' \
        -e 's/libssl/libressl-libssl/g' \
        -e 's/libressl-libressl-/libressl-/g' \
        "libressl-${f}"
      if [ -f libressl-openssl.pc ]; then
        mv -v libressl-openssl.pc libressl.pc
      fi
    done
  )
done

mv -v %{buildroot}/%{_libdir}/{libcrypto,libtls,libssl}.so.* %{buildroot}/%{_olibdir}/
( cd %{buildroot}/%{_libdir}/
  for i in %{buildroot}/%{_olibdir}/{libcrypto,libtls,libssl}.so.*
  do
    filename="$(basename "$i")"
    # /opt/libressl/lib
    # /usr/lib64/
    # Relative symlink is required to use *.so in tests...
    ln -s ../../../"%{_olibdir}/${filename}" "$filename"
  done
)
if [ "$(find %{buildroot}/%{_libdir}/ -iname '*.so.*' -type f | wc -l)" -gt 0 ]; then
  echo "Some shared libraries were not relocated!"
  exit 1
fi
chrpath --delete %{buildroot}/%{_olibdir}/*.so.*
chrpath --delete %{buildroot}/%{_obindir}/{nc,ocspcheck,libressl}

# Stuff from system OpenSSL will be used
rm -fvr %{buildroot}/%{_openssldir}/{certs,cert.pem}
mv -v %{buildroot}/%{_openssldir}/openssl.cnf %{buildroot}/%{_openssldir}/libressl.cnf

%check
_pcf(){
  unset oflags nflags
  oflags="$(eval $@)"
  nflags="$(echo "$oflags" | sed -e 's,%{_prefix},%{buildroot}%{_prefix},g')"
}
libressl="%{buildroot}/%{_obindir}/libressl"
# These tests caught a lot of mistakes during first builds
export PKG_CONFIG_PATH=%{buildroot}/%{_olibdir}/pkgconfig
export LD_LIBRARY_PATH=%{buildroot}/%{_olibdir}
# (test 1) Check that openssldir is correct
$libressl version -d | awk '{print $NF}' | tr -d '""' | grep -q '^%{_openssldir}$'
# (test 2) Check that path to config file is correct
# and also check that pkg-config libressl points to libressl, not openssl
_pcf pkg-config --libs --cflags libressl
%__cc -o test2 %{SOURCE22} $nflags
ldd ./test2
[ "$(./test2)" = "%{_openssldir}/libressl.cnf" ] || exit 1
# Check that our pkgconfig hacks somehow work
# (test 3) There is no /opt/libressl/ at build time
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test3 %{SOURCE20} $nflags
ldd ./test3
ldd ./test3 | grep 'libcrypto\.so\.%{libcrypto_sover}'
./test3 | grep Hello
# (test 4) Check that OpenSSL and LibreSSL devel parts coexist correctly
# (build with libcrypto from OpenSSL)
_pcf pkg-config --libs --cflags libcrypto
%__cc -o test4 %{SOURCE20} $nflags
ldd ./test4
ldd ./test4 | grep -v '/libcrypto\.so\.%{libcrypto_sover}'
./test4 | grep Hello
# (test 5) Check that flags from all *.pc are valid
# libtls is overlinking here, but check linking
_pcf pkg-config --libs --cflags libressl libressl-libssl libressl-libtls libressl-libcrypto
%__cc -o test5 %{SOURCE25} $nflags -lpthread -lz -ldl
ldd ./test5
ldd ./test5 | grep '/libcrypto\.so\.%{libcrypto_sover}'
ldd ./test5 | grep '/libssl\.so\.%{libssl_sover}'
ldd ./test5 | grep '/libtls\.so\.%{libtls_sover}'
./test5 --threads 2
# (test 6) Check that gost12sum (from OpenSSL gost-engine) and LibreSSL give the same result
# This also simply checks that checksums by GOST do work
echo test6 > ./test6
# gost12sum is Streebog-256, gostsum -l is Streebog-512
_gost12sum="$(gost12sum ./test6 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog256 ./test6 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
# (test 7) The same for Streebog-512
echo test7 > ./test7
_gost12sum="$(gost12sum -l ./test7 | awk '{print $1}')"
_libressl="$($libressl dgst -streebog512 ./test7 | awk '{print $NF}')"
[ "$_gost12sum" = "$_libressl" ] || exit 1
unset _gost12sum _libressl
# (test 8) Check that LibreSSL and gostsum use different byte order in GOST R 34.11-94 hashes
# https://ru.wikipedia.org/wiki/ГОСТ_Р_34.11-94#Формат_вывода
# ...and that  their hash tables do not differ
# https://github.com/gost-engine/engine/issues/189
# If byte orders change, package maintainers must become aware of this via this test failing
# Running the same hashsumming for multiple times checks that results do not randomize
echo test8 > ./test8
_gs_beg="$(gostsum ./test8 | awk '{print $1}' | head -c2)"
_gs_end="$(gostsum ./test8 | awk '{print $1}' | tail -c3)" #-c3 because of EOL
_ls_beg="$($libressl dgst -md_gost94 | awk '{print $NF}' | head -c2)"
_ls_end="$($libressl dgst -md_gost94 | awk '{print $NF}' | tail -c3)"
_gs_length="$(gostsum ./test8 | awk '{print $1}' | wc -c)"
_ls_length="$($libressl dgst -md_gost94 | awk '{print $NF}' | wc -c)"
[ "$_gs_beg" = "$_ls_end" ] && \
  [ "$_gs_end" = "$_ls_beg" ] && \
  [ "$_gs_length" = "$_ls_length" ] || exit 1
unset _gs_beg _gs_end _ls_beg _ls_end _gs_length _ls_length
# (test 9) Test ability to sign using algos that require OPENSSL_NO_CMS to de undefined
# https://bugzilla.kernel.org/show_bug.cgi?id=202159
# and ability to generate GOST R 34.11-12 keys
_pcf pkg-config --libs --cflags libressl-libcrypto
%__cc -o test9 %{SOURCE29} $nflags
libressl ecparam -genkey -name id-tc26-gost-3410-2012-512-paramSetA -out priv.key -outform PEM
libressl req -batch -new -x509 -nodes -key priv.key -out pem.pem \
	 -subj "/C=RU/ST=Russia/L=Oryol/O=Test/OU=Test CA/CN=Test CA Root"
echo 123 > test9_file
./test9 streebog512 priv.key pem.pem test9_file
strings test9_file | tail -n 1 | grep -q '~Module signature appended~'
rm priv.key pem.pem test9_file