mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-17 02:14:08 +00:00
8900543eb9
OpenBSD believes that PowerPC should be always-big-endian; this assumption seems to have propagated into recent releases of libressl. Since libressl is aliased to many other packages (e.g. netcat) it's important to fail early here, otherwise it's very difficult to figure out why libressl is getting dragged into a failing build.
118 lines
3.8 KiB
Nix
118 lines
3.8 KiB
Nix
{ stdenv
|
|
, fetchurl
|
|
, lib
|
|
, cmake
|
|
, cacert
|
|
, fetchpatch
|
|
, buildShared ? !stdenv.hostPlatform.isStatic
|
|
}:
|
|
|
|
let
|
|
ldLibPathEnvName = if stdenv.isDarwin
|
|
then "DYLD_LIBRARY_PATH"
|
|
else "LD_LIBRARY_PATH";
|
|
|
|
generic =
|
|
{ version
|
|
, hash
|
|
, patches ? []
|
|
, knownVulnerabilities ? []
|
|
}: stdenv.mkDerivation rec
|
|
{
|
|
pname = "libressl";
|
|
inherit version;
|
|
|
|
src = fetchurl {
|
|
url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz";
|
|
inherit hash;
|
|
};
|
|
|
|
nativeBuildInputs = [ cmake ];
|
|
|
|
cmakeFlags = [
|
|
"-DENABLE_NC=ON"
|
|
# Ensure that the output libraries do not require an executable stack.
|
|
# Without this define, assembly files in libcrypto do not include a
|
|
# .note.GNU-stack section, and if that section is missing from any object,
|
|
# the linker will make the stack executable.
|
|
"-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
|
|
# libressl will append this to the regular prefix for libdir
|
|
"-DCMAKE_INSTALL_LIBDIR=lib"
|
|
] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON";
|
|
|
|
# The autoconf build is broken as of 2.9.1, resulting in the following error:
|
|
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
|
|
# Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
|
|
# removing ./configure pre-config.
|
|
preConfigure = ''
|
|
rm configure
|
|
substituteInPlace CMakeLists.txt \
|
|
--replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \
|
|
--replace 'libdir \''${exec_prefix}' 'libdir \''${prefix}'
|
|
'';
|
|
|
|
inherit patches;
|
|
|
|
# Since 2.9.x the default location can't be configured from the build using
|
|
# DEFAULT_CA_FILE anymore, instead we have to patch the default value.
|
|
postPatch = ''
|
|
patchShebangs tests/
|
|
${lib.optionalString (lib.versionAtLeast version "2.9.2") ''
|
|
substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
|
|
''}
|
|
'';
|
|
|
|
doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
|
|
preCheck = ''
|
|
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
|
|
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
|
|
'';
|
|
postCheck = ''
|
|
export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
|
|
'';
|
|
|
|
outputs = [ "bin" "dev" "out" "man" "nc" ];
|
|
|
|
postFixup = ''
|
|
moveToOutput "bin/nc" "$nc"
|
|
moveToOutput "bin/openssl" "$bin"
|
|
moveToOutput "bin/ocspcheck" "$bin"
|
|
moveToOutput "share/man/man1/nc.1.gz" "$nc"
|
|
'';
|
|
|
|
meta = with lib; {
|
|
description = "Free TLS/SSL implementation";
|
|
homepage = "https://www.libressl.org";
|
|
license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ];
|
|
platforms = platforms.all;
|
|
maintainers = with maintainers; [ thoughtpolice fpletz ];
|
|
inherit knownVulnerabilities;
|
|
|
|
# OpenBSD believes that PowerPC should be always-big-endian;
|
|
# this assumption seems to have propagated into recent
|
|
# releases of libressl. Since libressl is aliased to many
|
|
# other packages (e.g. netcat) it's important to fail early
|
|
# here, otherwise it's very difficult to figure out why
|
|
# libressl is getting dragged into a failing build.
|
|
badPlatforms = with lib.systems.inspect.patterns;
|
|
[ (lib.recursiveUpdate isPower64 isLittleEndian) ];
|
|
};
|
|
};
|
|
|
|
in {
|
|
libressl_3_6 = generic {
|
|
version = "3.6.3";
|
|
hash = "sha256-h7G7426e7I0K5fBMg9NrLFsOWBeEx+sIFwJe0p6t6jc=";
|
|
};
|
|
|
|
libressl_3_7 = generic {
|
|
version = "3.7.3";
|
|
hash = "sha256-eUjIVqkMglvXJotvhWdKjc0lS65C4iF4GyTj+NwzXbM=";
|
|
};
|
|
|
|
libressl_3_8 = generic {
|
|
version = "3.8.2";
|
|
hash = "sha256-bUuNW7slofgzZjnlbsUIgFLUOpUlZpeoXEzpEyPCWVQ=";
|
|
};
|
|
}
|