diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/libressl')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libressl/default.nix | 108 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch | 92 |
2 files changed, 200 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/libressl/default.nix b/nixpkgs/pkgs/development/libraries/libressl/default.nix new file mode 100644 index 000000000000..613f7d3a2b34 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/libressl/default.nix @@ -0,0 +1,108 @@ +{ stdenv +, fetchurl +, lib +, cmake +, cacert +, fetchpatch +, buildShared ? !stdenv.hostPlatform.isStatic +}: + +let + ldLibPathEnvName = if stdenv.isDarwin + then "DYLD_LIBRARY_PATH" + else "LD_LIBRARY_PATH"; + + generic = + { version + , hash + , patches ? [] + , knownVulnerabilities ? [] + }: stdenv.mkDerivation rec + { + pname = "libressl"; + inherit version; + + src = fetchurl { + url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz"; + inherit hash; + }; + + nativeBuildInputs = [ cmake ]; + + cmakeFlags = [ + "-DENABLE_NC=ON" + # Ensure that the output libraries do not require an executable stack. + # Without this define, assembly files in libcrypto do not include a + # .note.GNU-stack section, and if that section is missing from any object, + # the linker will make the stack executable. + "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK" + # libressl will append this to the regular prefix for libdir + "-DCMAKE_INSTALL_LIBDIR=lib" + ] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON"; + + # The autoconf build is broken as of 2.9.1, resulting in the following error: + # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. + # Fortunately LibreSSL provides a CMake build as well, so opt for CMake by + # removing ./configure pre-config. + preConfigure = '' + rm configure + substituteInPlace CMakeLists.txt \ + --replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \ + --replace 'libdir \''${exec_prefix}' 'libdir \''${prefix}' + ''; + + inherit patches; + + # Since 2.9.x the default location can't be configured from the build using + # DEFAULT_CA_FILE anymore, instead we have to patch the default value. + postPatch = '' + patchShebangs tests/ + ${lib.optionalString (lib.versionAtLeast version "2.9.2") '' + substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"' + ''} + ''; + + doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); + preCheck = '' + export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} + export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" + ''; + postCheck = '' + export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} + ''; + + outputs = [ "bin" "dev" "out" "man" "nc" ]; + + postFixup = '' + moveToOutput "bin/nc" "$nc" + moveToOutput "bin/openssl" "$bin" + moveToOutput "bin/ocspcheck" "$bin" + moveToOutput "share/man/man1/nc.1.gz" "$nc" + ''; + + meta = with lib; { + description = "Free TLS/SSL implementation"; + homepage = "https://www.libressl.org"; + license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ]; + platforms = platforms.all; + maintainers = with maintainers; [ thoughtpolice fpletz ]; + inherit knownVulnerabilities; + }; + }; + +in { + libressl_3_6 = generic { + version = "3.6.3"; + hash = "sha256-h7G7426e7I0K5fBMg9NrLFsOWBeEx+sIFwJe0p6t6jc="; + }; + + libressl_3_7 = generic { + version = "3.7.3"; + hash = "sha256-eUjIVqkMglvXJotvhWdKjc0lS65C4iF4GyTj+NwzXbM="; + }; + + libressl_3_8 = generic { + version = "3.8.2"; + hash = "sha256-bUuNW7slofgzZjnlbsUIgFLUOpUlZpeoXEzpEyPCWVQ="; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch b/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch new file mode 100644 index 000000000000..db482bcb35da --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch @@ -0,0 +1,92 @@ +diff --git a/tests/explicit_bzero.c b/tests/explicit_bzero.c +index 34c60baa8a..9c0e917829 100644 +--- a/tests/explicit_bzero.c ++++ b/tests/explicit_bzero.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: explicit_bzero.c,v 1.6 2014/07/11 01:10:35 matthew Exp $ */ ++/* $OpenBSD: explicit_bzero.c,v 1.7 2021/03/27 11:17:58 bcook Exp $ */ + /* + * Copyright (c) 2014 Google Inc. + * +@@ -18,6 +18,7 @@ + #include <assert.h> + #include <errno.h> + #include <signal.h> ++#include <stdlib.h> + #include <string.h> + #include <unistd.h> + +@@ -36,19 +37,33 @@ enum { + SECRETBYTES = SECRETCOUNT * sizeof(secret) + }; + +-static char altstack[SIGSTKSZ + SECRETBYTES]; ++/* ++ * As of glibc 2.34, when _GNU_SOURCE is defined, SIGSTKSZ is no longer ++ * constant on Linux. SIGSTKSZ is redefined to sysconf (_SC_SIGSTKSZ). ++ */ ++static char *altstack; ++#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES) + + static void + setup_stack(void) + { ++ altstack = calloc(1, ALTSTACK_SIZE); ++ ASSERT_NE(NULL, altstack); ++ + const stack_t sigstk = { + .ss_sp = altstack, +- .ss_size = sizeof(altstack), ++ .ss_size = ALTSTACK_SIZE + }; + + ASSERT_EQ(0, sigaltstack(&sigstk, NULL)); + } + ++static void ++cleanup_stack(void) ++{ ++ free(altstack); ++} ++ + static void + assert_on_stack(void) + { +@@ -129,7 +144,7 @@ test_without_bzero() + char buf[SECRETBYTES]; + assert_on_stack(); + populate_secret(buf, sizeof(buf)); +- char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf)); ++ char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf)); + ASSERT_NE(NULL, res); + return (res); + } +@@ -140,7 +155,7 @@ test_with_bzero() + char buf[SECRETBYTES]; + assert_on_stack(); + populate_secret(buf, sizeof(buf)); +- char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf)); ++ char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf)); + ASSERT_NE(NULL, res); + explicit_bzero(buf, sizeof(buf)); + return (res); +@@ -183,15 +198,17 @@ main() + * on the stack. This sanity checks that call_on_stack() and + * populate_secret() work as intended. + */ +- memset(altstack, 0, sizeof(altstack)); ++ memset(altstack, 0, ALTSTACK_SIZE); + call_on_stack(do_test_without_bzero); + + /* + * Now test with a call to explicit_bzero() and check that we + * *don't* find any instances of the secret data. + */ +- memset(altstack, 0, sizeof(altstack)); ++ memset(altstack, 0, ALTSTACK_SIZE); + call_on_stack(do_test_with_bzero); + ++ cleanup_stack(); ++ + return (0); + } |