path: root/libxcrypt.spec.rpkg

# Build with new api?
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
%bcond_without new_api
%else
%bcond_with    new_api
%endif


# Build the compat package?
%if !(0%{?fedora} >= 999 || 0%{?rhel} >= 99) && %{with new_api}
%bcond_without compat_pkg
%else
%bcond_with    compat_pkg
%endif


# Replace obsolete functions with a stub?
%if (0%{?fedora} >= 30 || 0%{?rhel} >= 9) && %{with compat_pkg}
%bcond_without enosys_stubs
%else
%bcond_with    enosys_stubs
%endif


# Build the static library?
%bcond_without staticlib


# Shared object version of libcrypt.
%if %{with new_api}
%global soc  2
%global sol  0
%global sof  0
%global sov  %{soc}.%{sol}.%{sof}
%else
%global soc  1
%global sol  1
%global sof  0
%global sov  %{soc}.%{sol}.%{sof}
%endif

%if %{with compat_pkg}
%global csoc 1
%global csol 1
%global csof 0
%global csov %{csoc}.%{csol}.%{csof}
%endif


# First version of glibc built without libcrypt.
%global glibc_minver     2.28


# Minimum version of Perl needed for some build-scripts.
%global perl_minver      5.14


# The libxcrypt-devel package conflicts with out-dated manuals
# shipped with the man-pages packages *before* this EVR.
%global man_pages_minver 4.15-3


# Hash methods and API supported by libcrypt.
# NEVER EVER touch this, if you do NOT know what you are doing!
%global hash_methods   all

%if %{with new_api}
%global obsolete_api   no
%else
%global obsolete_api   glibc
%endif

%if %{with compat_pkg}
%global compat_methods all
%global compat_api     glibc
%endif


# Do we replace the obsolete API functions with stubs?
%if %{with enosys_stubs}
%global enosys_stubs   yes
%else
%global enosys_stubs   no
%endif


# Needed for the distribution README file.
%if 0%{?fedora}
%global distname .fedora
%else
%if 0%{?rhel}
%global distname .rhel
%else
%global distname .distribution
%endif
%endif


# Needed for out-of-tree builds.
%global _configure "$(realpath ../configure)"


# Common configure options.
%global common_configure_options           \\\
  --disable-failure-tokens                 \\\
  --disable-silent-rules                   \\\
  --enable-shared                          \\\
%if %{with staticlib}                      \
  --enable-static                          \\\
%else                                      \
  --disable-static                         \\\
%endif                                     \
  --disable-valgrind                       \\\
  --srcdir=$(realpath ..)                  \\\
  --with-pkgconfigdir=%{_libdir}/pkgconfig


# Fail linking if there are undefined symbols.
# Required for proper ELF symbol versioning support.
%global _ld_strict_symbol_defs 1


Name:           {{{ git_name }}}
Version:        {{{ git_real_version }}}
Release:        0.{{{ git_real_release }}}%{?dist}
Summary:        Extended crypt library for descrypt, md5crypt, bcrypt, and others

# For explicit license breakdown, see the
# LICENSING file in the source tarball.
License:        LGPLv2+ and BSD and Public Domain
URL:            https://github.com/besser82/%{name}
VCS:            {{{ git_dir_vcs }}}

Source0:        {{{ git_dir_pack }}}

BuildRequires:  autoconf
BuildRequires:  automake
BuildRequires:  gcc
BuildRequires:  glibc-devel                  >= %{glibc_minver}
BuildRequires:  libtool
BuildRequires:  make
BuildRequires:  perl-interpreter             >= %{perl_minver}
BuildRequires:  perl(Class::Struct)
BuildRequires:  perl(Cwd)
BuildRequires:  perl(Exporter)
BuildRequires:  perl(File::Spec::Functions)
BuildRequires:  perl(File::Temp)
BuildRequires:  perl(FindBin)
BuildRequires:  perl(if)
BuildRequires:  perl(IPC::Open3)
BuildRequires:  perl(lib)
BuildRequires:  perl(open)
BuildRequires:  perl(POSIX)
BuildRequires:  perl(Symbol)
BuildRequires:  perl(utf8)
BuildRequires:  perl(:VERSION)               >= %{perl_minver}
BuildRequires:  perl(warnings)

# We do not need to keep this forever.
%if !(0%{?fedora} > 31 || 0%{?rhel} > 9)
# Inherited from former libcrypt package.
Obsoletes:      libcrypt-nss           < %{glibc_minver}
Provides:       libcrypt-nss           = %{glibc_minver}
Provides:       libcrypt-nss%{?_isa}   = %{glibc_minver}

# Obsolete former libcrypt properly and provide a virtual libcrypt
# package as it has been done by the former packages, which were
# built by glibc before.
Obsoletes:      libcrypt               < %{glibc_minver}
Provides:       libcrypt               = %{glibc_minver}
Provides:       libcrypt%{?_isa}       = %{glibc_minver}

# Obsolete former libxcrypt-common properly.
Obsoletes:      %{name}-common         < 4.3.3-4
Provides:       %{name}-common         = %{version}-%{release}
%endif

%if %{with new_api} && %{without compat_pkg}
Obsoletes:      %{name}-compat         < %{version}-%{release}
%endif

%if !(0%{?fedora} > 34 || 0%{?rhel} > 9)
# We need a version of glibc, that doesn't build libcrypt anymore.
Requires:       glibc%{?_isa}         >= %{glibc_minver}
%endif

%if 0%{?fedora} >= 30
Recommends:     mkpasswd
%endif

%description
libxcrypt is a modern library for one-way hashing of passwords.  It
supports a wide variety of both modern and historical hashing methods:
yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt,
md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, and descrypt.
It provides the traditional Unix crypt and crypt_r interfaces, as well
as a set of extended interfaces pioneered by Openwall Linux, crypt_rn,
crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords during
an interactive authentication dialogue with a human. It is not suitable
for use in bulk password-cracking applications, or in any other situation
where speed is more important than careful handling of sensitive data.
However, it is intended to be fast and lightweight enough for use in
servers that must field thousands of login attempts per minute.
%if %{with new_api}
This version of the library does not provide the legacy API functions
that have been provided by glibc's libcrypt.so.1.
%endif


%if %{with compat_pkg}
%package        compat
Summary:        Compatibility library providing legacy API functions

# For testing the glibc compatibility symbols.
BuildRequires:  libxcrypt-compat

Requires:       %{name}%{?_isa}        = %{version}-%{release}

%if !(0%{?fedora} > 34 || 0%{?rhel} > 9)
# We need a version of glibc, that doesn't build libcrypt anymore.
Requires:       glibc%{?_isa}         >= %{glibc_minver}
%endif

%description    compat
This package contains the library providing the compatibility API
for applications that are linked against glibc's libxcrypt, or that
are still using the unsafe and deprecated, encrypt, encrypt_r,
setkey, setkey_r, and fcrypt functions, which are still required by
recent versions of POSIX, the Single UNIX Specification, and various
other standards.

All existing binary executables linked against glibc's libcrypt should
work unmodified with the library supplied by this package.
%endif


%package        devel
Summary:        Development files for %{name}

Conflicts:      man-pages              < %{man_pages_minver}

Requires:       %{name}%{?_isa}        = %{version}-%{release}
Requires:       glibc-devel%{?_isa}   >= %{glibc_minver}

%description    devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.


%if %{with staticlib}
%package        static
Summary:        Static library for -static linking with %{name}

Requires:       %{name}-devel%{?_isa}  = %{version}-%{release}
Requires:       glibc-devel%{?_isa}   >= %{glibc_minver}
Requires:       glibc-static%{?_isa}  >= %{glibc_minver}

%description    static
This package contains the libxcrypt static library for -static
linking.

You don't need this, unless you link statically, which is highly
discouraged.
%endif


%prep
{{{ git_dir_setup_macro }}}

$(realpath ./autogen.sh)

%if %{with new_api}
cat << EOF >> README%{distname}
This version of the %{name} package ships the libcrypt.so.2
library and does not provide the legacy API functions that have
been provided by glibc's libcrypt.so.1.  The removed functions
by name are encrypt, encrypt_r, setkey, setkey_r, and fcrypt.
%if %{with compat_pkg}

If you are using a third-party application that links against
those functions, or that is linked against glibc's libcrypt,
you may need to install the %{name}-compat package manually.

All existing binary executables linked against glibc's libcrypt
should work unmodified with the libcrypt.so.1 library supplied
by the %{name}-compat package.
%endif
EOF
%endif

%if %{with enosys_stubs}
cat << EOF >> README.posix
This version of the libcrypt.so.1 library has entirely removed
the functionality of the encrypt, encrypt_r, setkey, setkey_r,
and fcrypt functions, while keeping fully binary compatibility
with existing (third-party) applications possibly still using
those funtions.  If such an application attemps to call one of
these functions, the corresponding function will indicate that
it is not supported by the system in a POSIX-compliant way.

For security reasons, the encrypt and encrypt_r functions will
also overwrite their data-block argument with random bits.

All existing binary executables linked against glibc's libcrypt
should work unmodified with the provided version of the
libcrypt.so.1 library in place.
EOF
%endif

%if %{with staticlib}
cat << EOF >> README.static
Applications that use certain legacy APIs supplied by glibc’s
libcrypt (encrypt, encrypt_r, setkey, setkey_r, and fcrypt)
cannot be compiled nor linked against the supplied build of
the object files provided in the static library libcrypt.a.
EOF
%endif


%build
mkdir -p %{_vpath_builddir}

# Build the default system library.
pushd %{_vpath_builddir}
%configure                                       \
  %{common_configure_options}                    \
  --enable-hashes=%{hash_methods}                \
  --enable-obsolete-api=%{obsolete_api}          \
%if %{with new_api}
  --enable-obsolete-api-enosys=%{obsolete_api}
%else
  --enable-obsolete-api-enosys=%{enosys_stubs}
%endif
%make_build
%make_build test-programs
popd

%if %{with compat_pkg}
mkdir -p %{_vpath_builddir}-compat

# Build the compatibility library.
pushd %{_vpath_builddir}-compat
%configure                                       \
  %{common_configure_options}                    \
  --enable-hashes=%{compat_methods}              \
  --enable-obsolete-api=%{compat_api}            \
  --enable-obsolete-api-enosys=%{enosys_stubs}
%make_build
%make_build test-programs
popd
%endif

mkdir -p %{_vpath_builddir}-all_possible_tests

# The configure scripts want to use -Wl,--wrap to run some
# special tests, which is not compatible with LTO.
%global system_lto_cflags_bak %{_lto_cflags}
%define _lto_cflags %{nil}

# Reset compiler flags in env.
unset CFLAGS
unset CXXFLAGS
unset FFLAGS
unset FCFLAGS
unset LDFLAGS
unset LT_SYS_LIBRARY_PATH

# Build a library suitable for all possible tests.
pushd %{_vpath_builddir}-all_possible_tests
# Disable arc4random_buf on purpose, so we are able
# to run test/getrandom-fallback from testsuite.
%configure                                       \
ac_cv_func_arc4random_buf=no                     \
%if %{with compat_pkg}
  %{common_configure_options}                    \
  --enable-hashes=all                            \
  --enable-obsolete-api=%{compat_api}            \
  --enable-obsolete-api-enosys=%{enosys_stubs}
%else
  %{common_configure_options}                    \
  --enable-hashes=%{hash_methods}                \
  --enable-obsolete-api=%{obsolete_api}          \
%if %{with new_api}
  --enable-obsolete-api-enosys=%{obsolete_api}
%else
  --enable-obsolete-api-enosys=%{enosys_stubs}
%endif
%endif
%define _lto_cflags %{system_lto_cflags_bak}
%make_build
%make_build test-programs
popd


%install
%if %{with compat_pkg}
# Install the compatibility library.
%make_install -C %{_vpath_builddir}-compat

# Cleanup everything we do not need from the compatibility library.
find %{buildroot} -xtype f -not -name 'libcrypt.so.%{csoc}*' -delete -print
find %{buildroot} -type l -not -name 'libcrypt.so.%{csoc}*' -delete -print
%endif

# Install the default system library.
%make_install -C %{_vpath_builddir}

# Get rid of libtool crap.
find %{buildroot} -name '*.la' -delete -print

# Install documentation to shared %%_pkgdocdir.
install -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \
  ChangeLog NEWS README* THANKS TODO

# Drop README.md as it is identical to README.
rm -f %{buildroot}%{_pkgdocdir}/README.md


%check
build_dirs="%{_vpath_builddir}"
%if %{with compat_pkg}
build_dirs="${build_dirs} %{_vpath_builddir}-compat"
%endif
build_dirs="${build_dirs} %{_vpath_builddir}-all_possible_tests"
for dir in ${build_dirs}; do
  %make_build -C ${dir} check || \
    {
      rc=$?;
      echo "-----BEGIN TESTLOG: ${dir}-----";
      cat ${dir}/test-suite.log;
      echo "-----END TESTLOG: ${dir}-----";
      exit $rc;
    }
done


%ldconfig_scriptlets
%if %{with compat_pkg}
%ldconfig_scriptlets compat
%endif


%files
%doc %dir %{_pkgdocdir}
%doc %{_pkgdocdir}/NEWS
%doc %{_pkgdocdir}/README
%if %{with new_api}
%doc %{_pkgdocdir}/README%{distname}
%endif
%if %{with enosys_stubs} && %{without compat_pkg}
%doc %{_pkgdocdir}/README.posix
%endif
%doc %{_pkgdocdir}/THANKS
%license AUTHORS COPYING.LIB LICENSING
%{_libdir}/libcrypt.so.%{soc}
%{_libdir}/libcrypt.so.%{sov}
%{_mandir}/man5/crypt.5*


%if %{with compat_pkg}
%files          compat
%if %{with enosys_stubs}
%doc %{_pkgdocdir}/README.posix
%endif
%{_libdir}/libcrypt.so.%{csoc}
%{_libdir}/libcrypt.so.%{csov}
%endif


%files          devel
%doc %{_pkgdocdir}/ChangeLog
%doc %{_pkgdocdir}/TODO
%{_libdir}/libcrypt.so
%if %{without new_api}
%{_libdir}/libxcrypt.so
%endif
%{_includedir}/crypt.h
%if %{without new_api}
%{_includedir}/xcrypt.h
%endif
%{_libdir}/pkgconfig/libcrypt.pc
%{_libdir}/pkgconfig/%{name}.pc
%{_mandir}/man3/crypt.3*
%{_mandir}/man3/crypt_r.3*
%{_mandir}/man3/crypt_ra.3*
%{_mandir}/man3/crypt_rn.3*
%{_mandir}/man3/crypt_checksalt.3*
%{_mandir}/man3/crypt_gensalt.3*
%{_mandir}/man3/crypt_gensalt_ra.3*
%{_mandir}/man3/crypt_gensalt_rn.3*
%{_mandir}/man3/crypt_preferred_method.3*


%if %{with staticlib}
%files          static
%doc %{_pkgdocdir}/README.static
%{_libdir}/libcrypt.a
%if %{without new_api}
%{_libdir}/libxcrypt.a
%endif
%endif


%changelog
{{{ git_dir_changelog }}}