diff options
author | Alyssa Ross <hi@alyssa.is> | 2022-12-06 19:57:55 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-02-08 13:48:30 +0000 |
commit | bf3aadfdd39aa197e18bade671fab6726349ffa4 (patch) | |
tree | 698567af766ed441d757b57a7b21e68d4a342a2b /nixpkgs/pkgs/development/libraries/openssl | |
parent | f4afc5a01d9539ce09e47494e679c51f80723d07 (diff) | |
parent | 99665eb45f58d959d2cb9e49ddb960c79d596f33 (diff) | |
download | nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.gz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.bz2 nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.lz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.xz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.zst nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.zip |
Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/openssl')
6 files changed, 53 insertions, 164 deletions
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch deleted file mode 100644 index 5ecfb4175569..000000000000 --- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/Configure b/Configure -index 494e0b3..0b448aa 100755 ---- a/Configure -+++ b/Configure -@@ -652,6 +652,8 @@ my %table=( - "darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - "debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", -+"darwin64-arm64-cc","cc:-arch arm64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", -+"debug-darwin64-arm64-cc","cc:-arch arm64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - # iPhoneOS/iOS - "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch deleted file mode 100644 index 5765409fdd57..000000000000 --- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c -index e6d0e6e1a6..b89456fd87 100644 ---- a/crypto/x509/by_file.c -+++ b/crypto/x509/by_file.c -@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = ossl_safe_getenv(X509_get_default_cert_file_env()); -+ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); -+ -+ if (!file) -+ file = ossl_safe_getenv(X509_get_default_cert_file_env()); - - if (file) - ok = (X509_load_cert_crl_file(ctx, file, diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch deleted file mode 100644 index 3d9ee7e6a822..000000000000 --- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h ---- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100 -+++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100 -@@ -81,8 +81,8 @@ - - # ifndef OPENSSL_SYS_VMS - # define X509_CERT_AREA OPENSSLDIR - # define X509_CERT_DIR OPENSSLDIR "/certs" --# define X509_CERT_FILE OPENSSLDIR "/cert.pem" -+# define X509_CERT_FILE "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" - # define X509_PRIVATE_DIR OPENSSLDIR "/private" - # else - # define X509_CERT_AREA "SSLROOT:[000000]" diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch deleted file mode 100644 index 813c6bdf44ab..000000000000 --- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h ---- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100 -+++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100 -@@ -81,8 +81,8 @@ - - # ifndef OPENSSL_SYS_VMS - # define X509_CERT_AREA OPENSSLDIR - # define X509_CERT_DIR OPENSSLDIR "/certs" --# define X509_CERT_FILE OPENSSLDIR "/cert.pem" -+# define X509_CERT_FILE "/etc/ssl/certs/ca-certificates.crt" - # define X509_PRIVATE_DIR OPENSSLDIR "/private" - # else - # define X509_CERT_AREA "SSLROOT:[000000]" diff --git a/nixpkgs/pkgs/development/libraries/openssl/chacha.nix b/nixpkgs/pkgs/development/libraries/openssl/chacha.nix deleted file mode 100644 index bae3e53f441f..000000000000 --- a/nixpkgs/pkgs/development/libraries/openssl/chacha.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, perl, zlib -, withCryptodev ? false, cryptodev -}: - -with lib; -stdenv.mkDerivation { - pname = "openssl-chacha"; - version = "2016-08-22"; - - src = fetchFromGitHub { - owner = "PeterMosmans"; - repo = "openssl"; - rev = "293717318e903b95f4d7e83a98a087282f37efc3"; - sha256 = "134j3anjnj2q99xsd8d47bwvjp73qkdsimdd9riyjxa3hd8ysr00"; - }; - - outputs = [ "bin" "dev" "out" "man" ]; - setOutputFlags = false; - - nativeBuildInputs = [ perl zlib ]; - buildInputs = lib.optional withCryptodev cryptodev; - - configureScript = "./config"; - - configureFlags = [ - "zlib" - "shared" - "experimental-jpake" - "enable-md2" - "enable-rc5" - "enable-rfc3779" - "enable-gost" - "--libdir=lib" - "--openssldir=etc/ssl" - ] ++ lib.optionals withCryptodev [ - "-DHAVE_CRYPTODEV" - "-DUSE_CRYPTODEV_DIGESTS" - ]; - - makeFlags = [ - "MANDIR=$(man)/share/man" - ]; - - # Parallel building is broken in OpenSSL. - enableParallelBuilding = false; - - postInstall = '' - # If we're building dynamic libraries, then don't install static - # libraries. - if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then - rm "$out/lib/"*.a - fi - - mkdir -p $bin - mv $out/bin $bin/ - - mkdir $dev - mv $out/include $dev/ - - # remove dependency on Perl at runtime - rm -r $out/etc/ssl/misc - - rmdir $out/etc/ssl/{certs,private} - ''; - - postFixup = '' - # Check to make sure we don't depend on perl - if grep -r '${perl}' $out; then - echo "Found an erroneous dependency on perl ^^^" >&2 - exit 1 - fi - ''; - - meta = { - homepage = "https://www.openssl.org/"; - description = "A cryptographic library that implements the SSL and TLS protocols"; - platforms = [ "x86_64-linux" ]; - maintainers = [ lib.maintainers.cstrahan ]; - license = licenses.openssl; - priority = 10; # resolves collision with ‘man-pages’ - }; -} diff --git a/nixpkgs/pkgs/development/libraries/openssl/default.nix b/nixpkgs/pkgs/development/libraries/openssl/default.nix index 33ddbf7018c5..0b4050c76cce 100644 --- a/nixpkgs/pkgs/development/libraries/openssl/default.nix +++ b/nixpkgs/pkgs/development/libraries/openssl/default.nix @@ -7,6 +7,7 @@ # This will cause c_rehash to refer to perl via the environment, but otherwise # will produce a perfectly functional openssl binary and library. , withPerl ? stdenv.hostPlatform == stdenv.buildPlatform +, removeReferencesTo }: # Note: this package is used for bootstrapping fetchurl, and thus @@ -43,9 +44,23 @@ let substituteInPlace crypto/async/arch/async_posix.h \ --replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \ '!defined(__ANDROID__) && !defined(__OpenBSD__) && 0' + '' + # Move ENGINESDIR into OPENSSLDIR for static builds, in order to move + # it to the separate etc output. + + lib.optionalString static '' + substituteInPlace Configurations/unix-Makefile.tmpl \ + --replace 'ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}' \ + 'ENGINESDIR=$(OPENSSLDIR)/engines-{- $sover_dirname -}' ''; - outputs = [ "bin" "dev" "out" "man" ] ++ lib.optional withDocs "doc"; + outputs = [ "bin" "dev" "out" "man" ] + ++ lib.optional withDocs "doc" + # Separate output for the runtime dependencies of the static build. + # Specifically, move OPENSSLDIR into this output, as its path will be + # compiled into 'libcrypto.a'. This makes it a runtime dependency of + # any package that statically links openssl, so we want to keep that + # output minimal. + ++ lib.optional static "etc"; setOutputFlags = false; separateDebugInfo = !stdenv.hostPlatform.isDarwin && @@ -69,6 +84,12 @@ let x86_64-linux = "./Configure linux-x86_64"; x86_64-solaris = "./Configure solaris64-x86_64-gcc"; riscv64-linux = "./Configure linux64-riscv64"; + mips64el-linux = + if stdenv.hostPlatform.isMips64n64 + then "./Configure linux64-mips64" + else if stdenv.hostPlatform.isMips64n32 + then "./Configure linux-mips64" + else throw "unsupported ABI for ${stdenv.hostPlatform.system}"; }.${stdenv.hostPlatform.system} or ( if stdenv.hostPlatform == stdenv.buildPlatform then "./config" @@ -95,7 +116,14 @@ let configureFlags = [ "shared" # "shared" builds both shared and static libraries "--libdir=lib" - "--openssldir=etc/ssl" + (if !static then + "--openssldir=etc/ssl" + else + # Move OPENSSLDIR to the 'etc' output for static builds. Prepend '/.' + # to the path to make it appear absolute before variable expansion, + # else the 'prefix' would be prepended to it. + "--openssldir=/.$(etc)/etc/ssl" + ) ] ++ lib.optionals withCryptodev [ "-DHAVE_CRYPTODEV" "-DUSE_CRYPTODEV_DIGESTS" @@ -106,7 +134,11 @@ let # OpenSSL needs a specific `no-shared` configure flag. # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options # for a comprehensive list of configuration options. - ++ lib.optional (lib.versionAtLeast version "1.1.0" && static) "no-shared"; + ++ lib.optional (lib.versionAtLeast version "1.1.0" && static) "no-shared" + # This introduces a reference to the CTLOG_FILE which is undesired when + # trying to build binaries statically. + ++ lib.optional static "no-ct" + ; makeFlags = [ "MANDIR=$(man)/share/man" @@ -120,13 +152,19 @@ let enableParallelBuilding = true; postInstall = - lib.optionalString (!static) '' + (if static then '' + # OPENSSLDIR has a reference to self + ${removeReferencesTo}/bin/remove-references-to -t $out $out/lib/*.a + '' else '' # If we're building dynamic libraries, then don't install static # libraries. if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then rm "$out/lib/"*.a fi - '' + lib.optionalString (!stdenv.hostPlatform.isWindows) + + # 'etc' is a separate output on static builds only. + etc=$out + '') + lib.optionalString (!stdenv.hostPlatform.isWindows) # Fix bin/c_rehash's perl interpreter line # # - openssl 1_0_2: embeds a reference to buildPackages.perl @@ -147,14 +185,15 @@ let mv $out/include $dev/ # remove dependency on Perl at runtime - rm -r $out/etc/ssl/misc + rm -r $etc/etc/ssl/misc - rmdir $out/etc/ssl/{certs,private} + rmdir $etc/etc/ssl/{certs,private} ''; postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) '' - # Check to make sure the main output doesn't depend on perl - if grep -r '${buildPackages.perl}' $out; then + # Check to make sure the main output and the static runtime dependencies + # don't depend on perl + if grep -r '${buildPackages.perl}' $out $etc; then echo "Found an erroneous dependency on perl ^^^" >&2 exit 1 fi @@ -170,24 +209,10 @@ let in { - openssl_1_0_2 = common { - version = "1.0.2u"; - sha256 = "ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16"; - patches = [ - ./1.0.2/nix-ssl-cert-file.patch - - (if stdenv.hostPlatform.isDarwin - then ./1.0.2/use-etc-ssl-certs-darwin.patch - else ./1.0.2/use-etc-ssl-certs.patch) - ] ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-darwin") [ - ./1.0.2/darwin64-arm64.patch - ]; - extraMeta.knownVulnerabilities = [ "Support for OpenSSL 1.0.2 ended with 2019." ]; - }; openssl_1_1 = common rec { - version = "1.1.1n"; - sha256 = "sha256-QNzrUaT2pSdb3g5r8g70uRv8Mu1XwFUuLo4VRjNysXo="; + version = "1.1.1q"; + sha256 = "sha256-15Oc5hQCnN/wtsIPDi5XAxWKSJpyslB7i9Ub+Mj9EMo="; patches = [ ./1.1/nix-ssl-cert-file.patch @@ -200,9 +225,9 @@ in { withDocs = true; }; - openssl_3_0 = common { - version = "3.0.2"; - sha256 = "sha256-mOkczq1NR1auPJzeXgkZGo5YbZ9NUIOOfsCdZBHf22M="; + openssl_3 = common { + version = "3.0.5"; + sha256 = "sha256-qn2Nm+9xrWUlxVuhHl9Dl4ic5Jwsk0nc6m0+TwsCSno="; patches = [ ./3.0/nix-ssl-cert-file.patch |