pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / pkgs / development / libraries / libressl / default.nix
at 25.11-pre 193 lines 6.2 kB view raw
1{ 2 stdenv, 3 fetchurl, 4 lib, 5 cmake, 6 cacert, 7 fetchpatch, 8 buildShared ? !stdenv.hostPlatform.isStatic, 9}: 10 11let 12 ldLibPathEnvName = if stdenv.hostPlatform.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH"; 13 14 generic = 15 { 16 version, 17 hash, 18 patches ? [ ], 19 knownVulnerabilities ? [ ], 20 }: 21 stdenv.mkDerivation rec { 22 pname = "libressl"; 23 inherit version; 24 25 src = fetchurl { 26 url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz"; 27 inherit hash; 28 }; 29 30 nativeBuildInputs = [ cmake ]; 31 32 cmakeFlags = [ 33 "-DENABLE_NC=ON" 34 # Ensure that the output libraries do not require an executable stack. 35 # Without this define, assembly files in libcrypto do not include a 36 # .note.GNU-stack section, and if that section is missing from any object, 37 # the linker will make the stack executable. 38 "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK" 39 # libressl will append this to the regular prefix for libdir 40 "-DCMAKE_INSTALL_LIBDIR=lib" 41 ] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON"; 42 43 # The autoconf build is broken as of 2.9.1, resulting in the following error: 44 # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. 45 # Fortunately LibreSSL provides a CMake build as well, so opt for CMake by 46 # removing ./configure pre-config. 47 preConfigure = '' 48 rm configure 49 substituteInPlace CMakeLists.txt \ 50 --replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \ 51 --replace 'libdir \''${exec_prefix}' 'libdir \''${prefix}' 52 ''; 53 54 inherit patches; 55 56 # Since 2.9.x the default location can't be configured from the build using 57 # DEFAULT_CA_FILE anymore, instead we have to patch the default value. 58 postPatch = '' 59 patchShebangs tests/ 60 ${lib.optionalString (lib.versionAtLeast version "2.9.2") '' 61 substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"' 62 ''} 63 ''; 64 65 doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); 66 preCheck = '' 67 export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} 68 export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" 69 ''; 70 postCheck = '' 71 export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} 72 ''; 73 74 outputs = [ 75 "bin" 76 "dev" 77 "out" 78 "man" 79 "nc" 80 ]; 81 82 postFixup = '' 83 moveToOutput "bin/nc" "$nc" 84 moveToOutput "bin/openssl" "$bin" 85 moveToOutput "bin/ocspcheck" "$bin" 86 moveToOutput "share/man/man1/nc.1.gz" "$nc" 87 ''; 88 89 meta = with lib; { 90 description = "Free TLS/SSL implementation"; 91 homepage = "https://www.libressl.org"; 92 license = with licenses; [ 93 publicDomain 94 bsdOriginal 95 bsd0 96 bsd3 97 gpl3 98 isc 99 openssl 100 ]; 101 platforms = platforms.all; 102 maintainers = with maintainers; [ 103 thoughtpolice 104 fpletz 105 ]; 106 inherit knownVulnerabilities; 107 108 # OpenBSD believes that PowerPC should be always-big-endian; 109 # this assumption seems to have propagated into recent 110 # releases of libressl. Since libressl is aliased to many 111 # other packages (e.g. netcat) it's important to fail early 112 # here, otherwise it's very difficult to figure out why 113 # libressl is getting dragged into a failing build. 114 badPlatforms = with lib.systems.inspect.patterns; [ 115 (lib.recursiveUpdate isPower64 isLittleEndian) 116 ]; 117 }; 118 }; 119 120in 121{ 122 libressl_3_6 = generic { 123 version = "3.6.3"; 124 hash = "sha256-h7G7426e7I0K5fBMg9NrLFsOWBeEx+sIFwJe0p6t6jc="; 125 patches = [ 126 (fetchpatch { 127 url = "https://github.com/libressl/portable/commit/86e4965d7f20c3a6afc41d95590c9f6abb4fe788.patch"; 128 includes = [ "tests/tlstest.sh" ]; 129 hash = "sha256-XmmKTvP6+QaWxyGFCX6/gDfME9GqBWSx4X8RH8QbDXA="; 130 }) 131 ]; 132 }; 133 134 libressl_3_7 = generic { 135 version = "3.7.3"; 136 hash = "sha256-eUjIVqkMglvXJotvhWdKjc0lS65C4iF4GyTj+NwzXbM="; 137 patches = [ 138 (fetchpatch { 139 url = "https://github.com/libressl/portable/commit/86e4965d7f20c3a6afc41d95590c9f6abb4fe788.patch"; 140 includes = [ "tests/tlstest.sh" ]; 141 hash = "sha256-XmmKTvP6+QaWxyGFCX6/gDfME9GqBWSx4X8RH8QbDXA="; 142 }) 143 ]; 144 }; 145 146 libressl_3_8 = generic { 147 version = "3.8.4"; 148 hash = "sha256-wM75z+F0rDZs5IL1Qv3bB3Ief6DK+s40tJqHIPo3/n0="; 149 150 patches = [ 151 # Fixes build on ppc64 152 # https://github.com/libressl/portable/pull/1073 153 (fetchpatch { 154 url = "https://github.com/libressl/portable/commit/e6c7de3f03c51fbdcf5ad88bf12fe9e128521f0d.patch"; 155 hash = "sha256-LJy3fjbnc9h5DG3/+8bLECwJeBpPxy3hU8sPuhovmcw="; 156 }) 157 ]; 158 }; 159 160 libressl_3_9 = generic { 161 version = "3.9.2"; 162 hash = "sha256-ewMdrGSlnrbuMwT3/7ddrTOrjJ0nnIR/ksifuEYGj5c="; 163 164 patches = [ 165 # Fixes build on ppc64 166 # https://github.com/libressl/portable/pull/1073 167 (fetchpatch { 168 url = "https://github.com/libressl/portable/commit/e6c7de3f03c51fbdcf5ad88bf12fe9e128521f0d.patch"; 169 hash = "sha256-LJy3fjbnc9h5DG3/+8bLECwJeBpPxy3hU8sPuhovmcw="; 170 }) 171 ]; 172 }; 173 174 libressl_4_0 = generic { 175 version = "4.0.0"; 176 hash = "sha256-TYQZVfCsw9/HHQ49018oOvRhIiNQ4mhD/qlzHAJGoeQ="; 177 # Fixes build on loongarch64 178 # https://github.com/libressl/portable/pull/1146 179 patches = [ 180 (fetchpatch { 181 name = "0100-ALT-basic-loongarch64-support.patch"; 182 url = "https://git.altlinux.org/gears/L/LibreSSL.git?p=LibreSSL.git;a=blob_plain;f=patches/0100-ALT-basic-loongarch64-support.patch;hb=70ddea860b8b62531bd3968bf4d7a5c4b7086776"; 183 stripLen = 2; 184 extraPrefix = ""; 185 postFetch = '' 186 substituteInPlace "$out" \ 187 --replace-fail "a//dev/null" "/dev/null" 188 ''; 189 hash = "sha256-dEdtmHHiR7twAqgebXv1Owle/KYCak71NhDCp0PdseU="; 190 }) 191 ]; 192 }; 193}