tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / development / libraries / openssl / default.nix
at flake-libs 398 lines 15 kB view raw
1{ 2 lib, 3 stdenv, 4 fetchurl, 5 buildPackages, 6 perl, 7 coreutils, 8 writeShellScript, 9 makeBinaryWrapper, 10 withCryptodev ? false, 11 cryptodev, 12 withZlib ? false, 13 zlib, 14 enableSSL2 ? false, 15 enableSSL3 ? false, 16 enableMD2 ? false, 17 enableKTLS ? stdenv.hostPlatform.isLinux, 18 static ? stdenv.hostPlatform.isStatic, 19 # path to openssl.cnf file. will be placed in $etc/etc/ssl/openssl.cnf to replace the default 20 conf ? null, 21 removeReferencesTo, 22 testers, 23}: 24 25# Note: this package is used for bootstrapping fetchurl, and thus 26# cannot use fetchpatch! All mutable patches (generated by GitHub or 27# cgit) that are needed here should be included directly in Nixpkgs as 28# files. 29 30let 31 common = 32 { 33 version, 34 hash, 35 patches ? [ ], 36 withDocs ? false, 37 extraMeta ? { }, 38 }: 39 stdenv.mkDerivation (finalAttrs: { 40 pname = "openssl"; 41 inherit version; 42 43 src = fetchurl { 44 url = 45 if lib.versionOlder version "3.0" then 46 let 47 versionFixed = builtins.replaceStrings [ "." ] [ "_" ] version; 48 in 49 "https://github.com/openssl/openssl/releases/download/OpenSSL_${versionFixed}/openssl-${version}.tar.gz" 50 else 51 "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz"; 52 inherit hash; 53 }; 54 55 inherit patches; 56 57 postPatch = 58 '' 59 patchShebangs Configure 60 '' 61 + lib.optionalString (lib.versionOlder version "1.1.1") '' 62 patchShebangs test/* 63 for a in test/t* ; do 64 substituteInPlace "$a" \ 65 --replace /bin/rm rm 66 done 67 '' 68 # config is a configure script which is not installed. 69 + lib.optionalString (lib.versionAtLeast version "1.1.1") '' 70 substituteInPlace config --replace '/usr/bin/env' '${buildPackages.coreutils}/bin/env' 71 '' 72 + lib.optionalString (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isMusl) '' 73 substituteInPlace crypto/async/arch/async_posix.h \ 74 --replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \ 75 '!defined(__ANDROID__) && !defined(__OpenBSD__) && 0' 76 '' 77 # Move ENGINESDIR into OPENSSLDIR for static builds, in order to move 78 # it to the separate etc output. 79 + lib.optionalString static '' 80 substituteInPlace Configurations/unix-Makefile.tmpl \ 81 --replace 'ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}' \ 82 'ENGINESDIR=$(OPENSSLDIR)/engines-{- $sover_dirname -}' 83 ''; 84 85 outputs = 86 [ 87 "bin" 88 "dev" 89 "out" 90 "man" 91 ] 92 ++ lib.optional withDocs "doc" 93 # Separate output for the runtime dependencies of the static build. 94 # Specifically, move OPENSSLDIR into this output, as its path will be 95 # compiled into 'libcrypto.a'. This makes it a runtime dependency of 96 # any package that statically links openssl, so we want to keep that 97 # output minimal. 98 ++ lib.optional static "etc"; 99 setOutputFlags = false; 100 separateDebugInfo = 101 !stdenv.hostPlatform.isDarwin 102 && !stdenv.hostPlatform.isAndroid 103 && !(stdenv.hostPlatform.useLLVM or false) 104 && stdenv.cc.isGNU; 105 106 nativeBuildInputs = 107 lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper 108 ++ [ perl ] 109 ++ lib.optionals static [ removeReferencesTo ]; 110 buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib; 111 112 # TODO(@Ericson2314): Improve with mass rebuild 113 configurePlatforms = [ ]; 114 configureScript = 115 { 116 armv5tel-linux = "./Configure linux-armv4 -march=armv5te"; 117 armv6l-linux = "./Configure linux-armv4 -march=armv6"; 118 armv7l-linux = "./Configure linux-armv4 -march=armv7-a"; 119 x86_64-darwin = "./Configure darwin64-x86_64-cc"; 120 aarch64-darwin = "./Configure darwin64-arm64-cc"; 121 x86_64-linux = "./Configure linux-x86_64"; 122 x86_64-solaris = "./Configure solaris64-x86_64-gcc"; 123 powerpc64-linux = "./Configure linux-ppc64"; 124 riscv32-linux = "./Configure ${ 125 if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic" 126 }"; 127 riscv64-linux = "./Configure linux64-riscv64"; 128 } 129 .${stdenv.hostPlatform.system} or ( 130 if stdenv.hostPlatform == stdenv.buildPlatform then 131 "./config" 132 else if stdenv.hostPlatform.isBSD then 133 if stdenv.hostPlatform.isx86_64 then 134 "./Configure BSD-x86_64" 135 else if stdenv.hostPlatform.isx86_32 then 136 "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf" 137 else 138 "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}" 139 else if stdenv.hostPlatform.isMinGW then 140 "./Configure mingw${ 141 lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) ( 142 toString stdenv.hostPlatform.parsed.cpu.bits 143 ) 144 }" 145 else if stdenv.hostPlatform.isLinux then 146 if stdenv.hostPlatform.isx86_64 then 147 "./Configure linux-x86_64" 148 else if stdenv.hostPlatform.isMicroBlaze then 149 "./Configure linux-latomic" 150 else if stdenv.hostPlatform.isMips32 then 151 "./Configure linux-mips32" 152 else if stdenv.hostPlatform.isMips64n32 then 153 "./Configure linux-mips64" 154 else if stdenv.hostPlatform.isMips64n64 then 155 "./Configure linux64-mips64" 156 else 157 "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}" 158 else if stdenv.hostPlatform.isiOS then 159 "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross" 160 else 161 throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}" 162 ); 163 164 # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags. 165 dontAddStaticConfigureFlags = true; 166 configureFlags = 167 [ 168 "shared" # "shared" builds both shared and static libraries 169 "--libdir=lib" 170 ( 171 if !static then 172 "--openssldir=etc/ssl" 173 else 174 # Move OPENSSLDIR to the 'etc' output for static builds. Prepend '/.' 175 # to the path to make it appear absolute before variable expansion, 176 # else the 'prefix' would be prepended to it. 177 "--openssldir=/.$(etc)/etc/ssl" 178 ) 179 ] 180 ++ lib.optionals withCryptodev [ 181 "-DHAVE_CRYPTODEV" 182 "-DUSE_CRYPTODEV_DIGESTS" 183 ] 184 ++ lib.optional enableMD2 "enable-md2" 185 ++ lib.optional enableSSL2 "enable-ssl2" 186 ++ lib.optional enableSSL3 "enable-ssl3" 187 # We select KTLS here instead of the configure-time detection (which we patch out). 188 # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it. 189 ++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls" 190 ++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng" 191 # OpenSSL needs a specific `no-shared` configure flag. 192 # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options 193 # for a comprehensive list of configuration options. 194 ++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared" 195 ++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module" 196 # This introduces a reference to the CTLOG_FILE which is undesired when 197 # trying to build binaries statically. 198 ++ lib.optional static "no-ct" 199 ++ lib.optional withZlib "zlib" 200 # /dev/crypto support has been dropped in OpenBSD 5.7. 201 # 202 # OpenBSD's ports does this too, 203 # https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25. 204 # 205 # https://github.com/openssl/openssl/pull/10565 indicated the 206 # intent was that this would be configured properly automatically, 207 # but that doesn't appear to be the case. 208 ++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng" 209 ++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [ 210 # This is necessary in order to avoid openssl adding -march 211 # flags which ultimately conflict with those added by 212 # cc-wrapper. Openssl assumes that it can scan CFLAGS to 213 # detect any -march flags, using this perl code: 214 # 215 # && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}}) 216 # 217 # The following bogus CFLAGS environment variable triggers the 218 # the code above, inhibiting `./Configure` from adding the 219 # conflicting flags. 220 "CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}" 221 ]; 222 223 makeFlags = [ 224 "MANDIR=$(man)/share/man" 225 # This avoids conflicts between man pages of openssl subcommands (for 226 # example 'ts' and 'err') man pages and their equivalent top-level 227 # command in other packages (respectively man-pages and moreutils). 228 # This is done in ubuntu and archlinux, and possiibly many other distros. 229 "MANSUFFIX=ssl" 230 ]; 231 232 enableParallelBuilding = true; 233 234 postInstall = 235 ( 236 if static then 237 '' 238 # OPENSSLDIR has a reference to self 239 remove-references-to -t $out $out/lib/*.a 240 '' 241 else 242 '' 243 # If we're building dynamic libraries, then don't install static 244 # libraries. 245 if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then 246 rm "$out/lib/"*.a 247 fi 248 249 # 'etc' is a separate output on static builds only. 250 etc=$out 251 '' 252 ) 253 + '' 254 mkdir -p $bin 255 mv $out/bin $bin/bin 256 257 '' 258 + 259 lib.optionalString (!stdenv.hostPlatform.isWindows) 260 # makeWrapper is broken for windows cross (https://github.com/NixOS/nixpkgs/issues/120726) 261 '' 262 # c_rehash is a legacy perl script with the same functionality 263 # as `openssl rehash` 264 # this wrapper script is created to maintain backwards compatibility without 265 # depending on perl 266 makeWrapper $bin/bin/openssl $bin/bin/c_rehash \ 267 --add-flags "rehash" 268 '' 269 + '' 270 271 mkdir $dev 272 mv $out/include $dev/ 273 274 # remove dependency on Perl at runtime 275 rm -r $etc/etc/ssl/misc 276 277 rmdir $etc/etc/ssl/{certs,private} 278 '' 279 + lib.optionalString (conf != null) '' 280 cat ${conf} > $etc/etc/ssl/openssl.cnf 281 ''; 282 283 postFixup = 284 lib.optionalString (!stdenv.hostPlatform.isWindows) '' 285 # Check to make sure the main output and the static runtime dependencies 286 # don't depend on perl 287 if grep -r '${buildPackages.perl}' $out $etc; then 288 echo "Found an erroneous dependency on perl ^^^" >&2 289 exit 1 290 fi 291 '' 292 + lib.optionalString (lib.versionAtLeast version "3.3.0") '' 293 # cleanup cmake helpers for now (for OpenSSL >= 3.3), only rely on pkg-config. 294 # pkg-config gets its paths fixed correctly 295 rm -rf $dev/lib/cmake 296 ''; 297 298 passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; 299 300 meta = { 301 homepage = "https://www.openssl.org/"; 302 changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md"; 303 description = "Cryptographic library that implements the SSL and TLS protocols"; 304 license = lib.licenses.openssl; 305 mainProgram = "openssl"; 306 maintainers = with lib.maintainers; [ thillux ]; 307 teams = [ lib.teams.stridtech ]; 308 pkgConfigModules = [ 309 "libcrypto" 310 "libssl" 311 "openssl" 312 ]; 313 platforms = lib.platforms.all; 314 } // extraMeta; 315 }); 316 317in 318{ 319 # intended version "policy": 320 # - 1.1 as long as some package exists, which does not build without it 321 # (tracking issue: https://github.com/NixOS/nixpkgs/issues/269713) 322 # try to remove in 24.05 for the first time, if possible then 323 # - latest 3.x LTS 324 # - latest 3.x non-LTS as preview/for development 325 # 326 # - other versions in between only when reasonable need is stated for some package 327 # - backport every security critical fix release e.g. 3.0.y -> 3.0.y+1 but no new version, e.g. 3.1 -> 3.2 328 329 # If you do upgrade here, please update in pkgs/top-level/release.nix 330 # the permitted insecure version to ensure it gets cached for our users 331 # and backport this to stable release (at time of writing this 23.11). 332 openssl_1_1 = common { 333 version = "1.1.1w"; 334 hash = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg="; 335 patches = [ 336 ./1.1/nix-ssl-cert-file.patch 337 338 ( 339 if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch 340 ) 341 ]; 342 withDocs = true; 343 extraMeta = { 344 knownVulnerabilities = [ 345 "OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.11 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/" 346 ]; 347 }; 348 }; 349 350 openssl_3 = common { 351 version = "3.0.16"; 352 hash = "sha256-V+A8UP6rXTGxUq8rdk8QN5rs2O6S8WyYWYPOSpn374Y="; 353 354 patches = [ 355 ./3.0/nix-ssl-cert-file.patch 356 357 # openssl will only compile in KTLS if the current kernel supports it. 358 # This patch disables build-time detection. 359 ./3.0/openssl-disable-kernel-detection.patch 360 361 ( 362 if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch 363 ) 364 ]; 365 366 withDocs = true; 367 368 extraMeta = { 369 license = lib.licenses.asl20; 370 }; 371 }; 372 373 openssl_3_4 = common { 374 version = "3.4.1"; 375 hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM="; 376 377 patches = [ 378 ./3.0/nix-ssl-cert-file.patch 379 380 # openssl will only compile in KTLS if the current kernel supports it. 381 # This patch disables build-time detection. 382 ./3.0/openssl-disable-kernel-detection.patch 383 384 ( 385 if stdenv.hostPlatform.isDarwin then 386 ./3.4/use-etc-ssl-certs-darwin.patch 387 else 388 ./3.4/use-etc-ssl-certs.patch 389 ) 390 ]; 391 392 withDocs = true; 393 394 extraMeta = { 395 license = lib.licenses.asl20; 396 }; 397 }; 398}