diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/openssl/default.nix')
| -rw-r--r-- | nixpkgs/pkgs/development/libraries/openssl/default.nix | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/openssl/default.nix b/nixpkgs/pkgs/development/libraries/openssl/default.nix new file mode 100644 index 000000000000..ce4374be3312 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/default.nix @@ -0,0 +1,174 @@ +{ lib, stdenv, fetchurl, buildPackages, perl, coreutils +, withCryptodev ? false, cryptodev +, enableSSL2 ? false +, enableSSL3 ? false +, static ? stdenv.hostPlatform.isStatic +}: + +# Note: this package is used for bootstrapping fetchurl, and thus +# cannot use fetchpatch! All mutable patches (generated by GitHub or +# cgit) that are needed here should be included directly in Nixpkgs as +# files. + +with lib; + +let + common = { version, sha256, patches ? [], withDocs ? false, extraMeta ? {} }: + stdenv.mkDerivation rec { + pname = "openssl"; + inherit version; + + src = fetchurl { + url = "https://www.openssl.org/source/${pname}-${version}.tar.gz"; + inherit sha256; + }; + + inherit patches; + + postPatch = '' + patchShebangs Configure + '' + optionalString (versionOlder version "1.1.0") '' + patchShebangs test/* + for a in test/t* ; do + substituteInPlace "$a" \ + --replace /bin/rm rm + done + '' + optionalString (versionAtLeast version "1.1.1") '' + substituteInPlace config --replace '/usr/bin/env' '${coreutils}/bin/env' + '' + optionalString (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isMusl) '' + substituteInPlace crypto/async/arch/async_posix.h \ + --replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \ + '!defined(__ANDROID__) && !defined(__OpenBSD__) && 0' + ''; + + outputs = [ "bin" "dev" "out" "man" ] ++ optional withDocs "doc"; + setOutputFlags = false; + separateDebugInfo = !(stdenv.hostPlatform.useLLVM or false) && stdenv.cc.isGNU; + + nativeBuildInputs = [ perl ]; + buildInputs = lib.optional withCryptodev cryptodev; + + # TODO(@Ericson2314): Improve with mass rebuild + configurePlatforms = []; + configureScript = { + armv5tel-linux = "./Configure linux-armv4 -march=armv5te"; + armv6l-linux = "./Configure linux-armv4 -march=armv6"; + armv7l-linux = "./Configure linux-armv4 -march=armv7-a"; + x86_64-darwin = "./Configure darwin64-x86_64-cc"; + x86_64-linux = "./Configure linux-x86_64"; + x86_64-solaris = "./Configure solaris64-x86_64-gcc"; + }.${stdenv.hostPlatform.system} or ( + if stdenv.hostPlatform == stdenv.buildPlatform + then "./config" + else if stdenv.hostPlatform.isMinGW + then "./Configure mingw${optionalString + (stdenv.hostPlatform.parsed.cpu.bits != 32) + (toString stdenv.hostPlatform.parsed.cpu.bits)}" + else if stdenv.hostPlatform.isLinux + then (if stdenv.hostPlatform.isx86_64 + then "./Configure linux-x86_64" + else "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}") + else if stdenv.hostPlatform.isiOS + then "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross" + else + throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}" + ); + + configureFlags = [ + "shared" # "shared" builds both shared and static libraries + "--libdir=lib" + "--openssldir=etc/ssl" + ] ++ lib.optionals withCryptodev [ + "-DHAVE_CRYPTODEV" + "-DUSE_CRYPTODEV_DIGESTS" + ] ++ lib.optional enableSSL2 "enable-ssl2" + ++ lib.optional enableSSL3 "enable-ssl3" + ++ lib.optional (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng" + # OpenSSL needs a specific `no-shared` configure flag. + # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options + # for a comprehensive list of configuration options. + ++ lib.optional (versionAtLeast version "1.1.0" && static) "no-shared"; + + makeFlags = [ + "MANDIR=$(man)/share/man" + # This avoids conflicts between man pages of openssl subcommands (for + # example 'ts' and 'err') man pages and their equivalent top-level + # command in other packages (respectively man-pages and moreutils). + # This is done in ubuntu and archlinux, and possiibly many other distros. + "MANSUFFIX=ssl" + ]; + + enableParallelBuilding = true; + + postInstall = + lib.optionalString (!static) '' + # If we're building dynamic libraries, then don't install static + # libraries. + if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then + rm "$out/lib/"*.a + fi + + '' + + '' + mkdir -p $bin + '' + lib.optionalString (!stdenv.hostPlatform.isWindows) + '' + substituteInPlace $out/bin/c_rehash --replace ${buildPackages.perl} ${perl} + '' + + '' + mv $out/bin $bin/ + + mkdir $dev + mv $out/include $dev/ + + # remove dependency on Perl at runtime + rm -r $out/etc/ssl/misc + + rmdir $out/etc/ssl/{certs,private} + ''; + + postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) '' + # Check to make sure the main output doesn't depend on perl + if grep -r '${buildPackages.perl}' $out; then + echo "Found an erroneous dependency on perl ^^^" >&2 + exit 1 + fi + ''; + + meta = with lib; { + homepage = "https://www.openssl.org/"; + description = "A cryptographic library that implements the SSL and TLS protocols"; + license = licenses.openssl; + platforms = platforms.all; + maintainers = [ maintainers.peti ]; + } // extraMeta; + }; + +in { + + openssl_1_0_2 = common { + version = "1.0.2u"; + sha256 = "ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16"; + patches = [ + ./1.0.2/nix-ssl-cert-file.patch + + (if stdenv.hostPlatform.isDarwin + then ./1.0.2/use-etc-ssl-certs-darwin.patch + else ./1.0.2/use-etc-ssl-certs.patch) + ]; + extraMeta.knownVulnerabilities = [ "Support for OpenSSL 1.0.2 ended with 2019." ]; + }; + + openssl_1_1 = common { + version = "1.1.1i"; + sha256 = "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"; + patches = [ + ./1.1/nix-ssl-cert-file.patch + + (if stdenv.hostPlatform.isDarwin + then ./1.1/use-etc-ssl-certs-darwin.patch + else ./1.1/use-etc-ssl-certs.patch) + ]; + withDocs = true; + }; +} |