pkgs/development/libraries/libressl/default.nix at devShellTools-shell

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / development / libraries / libressl / default.nix
at devShellTools-shell 170 lines 5.3 kB view raw
wrap content
  1{
  2  stdenv,
  3  fetchurl,
  4  lib,
  5  cmake,
  6  cacert,
  7  fetchpatch,
  8  buildShared ? !stdenv.hostPlatform.isStatic,
  9}:
 10
 11let
 12  ldLibPathEnvName = if stdenv.hostPlatform.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
 13
 14  generic =
 15    {
 16      version,
 17      hash,
 18      patches ? [ ],
 19      postPatch ? "",
 20      knownVulnerabilities ? [ ],
 21    }:
 22    stdenv.mkDerivation {
 23      pname = "libressl";
 24      inherit version;
 25
 26      src = fetchurl {
 27        url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz";
 28        inherit hash;
 29      };
 30
 31      nativeBuildInputs = [ cmake ];
 32
 33      cmakeFlags = [
 34        "-DENABLE_NC=ON"
 35        # Ensure that the output libraries do not require an executable stack.
 36        # Without this define, assembly files in libcrypto do not include a
 37        # .note.GNU-stack section, and if that section is missing from any object,
 38        # the linker will make the stack executable.
 39        "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
 40        # libressl will append this to the regular prefix for libdir
 41        "-DCMAKE_INSTALL_LIBDIR=lib"
 42
 43        "-DTLS_DEFAULT_CA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
 44      ]
 45      ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON";
 46
 47      # The autoconf build is broken as of 2.9.1, resulting in the following error:
 48      # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
 49      # Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
 50      # removing ./configure pre-config.
 51      preConfigure = ''
 52        rm configure
 53        substituteInPlace CMakeLists.txt \
 54          --replace-fail 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \
 55          --replace-fail 'libdir      \''${exec_prefix}' 'libdir \''${prefix}'
 56      '';
 57
 58      inherit patches;
 59
 60      postPatch = ''
 61        patchShebangs tests/
 62      ''
 63      + postPatch;
 64
 65      doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
 66      preCheck = ''
 67        export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
 68        export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
 69      '';
 70      postCheck = ''
 71        export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
 72      '';
 73
 74      outputs = [
 75        "bin"
 76        "dev"
 77        "out"
 78        "man"
 79        "nc"
 80      ];
 81
 82      postFixup = ''
 83        moveToOutput "bin/nc" "$nc"
 84        moveToOutput "bin/openssl" "$bin"
 85        moveToOutput "bin/ocspcheck" "$bin"
 86        moveToOutput "share/man/man1/nc.1.gz" "$nc"
 87      '';
 88
 89      meta = with lib; {
 90        description = "Free TLS/SSL implementation";
 91        homepage = "https://www.libressl.org";
 92        license = with licenses; [
 93          publicDomain
 94          bsdOriginal
 95          bsd0
 96          bsd3
 97          gpl3
 98          isc
 99          openssl
100        ];
101        platforms = platforms.all;
102        maintainers = with maintainers; [
103          thoughtpolice
104          fpletz
105        ];
106        inherit knownVulnerabilities;
107
108        # OpenBSD believes that PowerPC should be always-big-endian;
109        # this assumption seems to have propagated into recent
110        # releases of libressl.  Since libressl is aliased to many
111        # other packages (e.g. netcat) it's important to fail early
112        # here, otherwise it's very difficult to figure out why
113        # libressl is getting dragged into a failing build.
114        badPlatforms = with lib.systems.inspect.patterns; [
115          (lib.recursiveUpdate isPower64 isLittleEndian)
116        ];
117      };
118    };
119in
120{
121  libressl_3_9 = generic {
122    version = "3.9.2";
123    hash = "sha256-ewMdrGSlnrbuMwT3/7ddrTOrjJ0nnIR/ksifuEYGj5c=";
124
125    patches = [
126      # Fixes build on ppc64
127      # https://github.com/libressl/portable/pull/1073
128      (fetchpatch {
129        url = "https://github.com/libressl/portable/commit/e6c7de3f03c51fbdcf5ad88bf12fe9e128521f0d.patch";
130        hash = "sha256-LJy3fjbnc9h5DG3/+8bLECwJeBpPxy3hU8sPuhovmcw=";
131      })
132    ];
133  };
134
135  libressl_4_0 = generic {
136    version = "4.0.0";
137    hash = "sha256-TYQZVfCsw9/HHQ49018oOvRhIiNQ4mhD/qlzHAJGoeQ=";
138    # Fixes build on loongarch64
139    # https://github.com/libressl/portable/pull/1146
140    patches = [
141      (fetchpatch {
142        name = "0100-ALT-basic-loongarch64-support.patch";
143        url = "https://git.altlinux.org/gears/L/LibreSSL.git?p=LibreSSL.git;a=blob_plain;f=patches/0100-ALT-basic-loongarch64-support.patch;hb=70ddea860b8b62531bd3968bf4d7a5c4b7086776";
144        stripLen = 2;
145        extraPrefix = "";
146        postFetch = ''
147          substituteInPlace "$out" \
148            --replace-fail "a//dev/null" "/dev/null"
149        '';
150        hash = "sha256-dEdtmHHiR7twAqgebXv1Owle/KYCak71NhDCp0PdseU=";
151      })
152    ];
153  };
154
155  libressl_4_1 = generic {
156    version = "4.1.0";
157    hash = "sha256-D3HBa9NL2qzNy5al2UpJIb+2EuxuDrp6gNiFTu/Yu2E=";
158    # Fixes build on loongarch64
159    # https://github.com/libressl/portable/pull/1184
160    postPatch = ''
161      mkdir -p include/arch/loongarch64
162      cp ${
163        fetchurl {
164          url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h";
165          hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo=";
166        }
167      } include/arch/loongarch64/opensslconf.h
168    '';
169  };
170}