diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/openssl')
12 files changed, 494 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch new file mode 100644 index 000000000000..5ecfb4175569 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch @@ -0,0 +1,12 @@ +diff --git a/Configure b/Configure +index 494e0b3..0b448aa 100755 +--- a/Configure ++++ b/Configure +@@ -652,6 +652,8 @@ my %table=( + "darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", + "debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", + "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ++"darwin64-arm64-cc","cc:-arch arm64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ++"debug-darwin64-arm64-cc","cc:-arch arm64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", + # iPhoneOS/iOS + "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..5765409fdd57 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch @@ -0,0 +1,16 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index e6d0e6e1a6..b89456fd87 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + + if (file) + ok = (X509_load_cert_crl_file(ctx, file, diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch new file mode 100644 index 000000000000..3d9ee7e6a822 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch @@ -0,0 +1,13 @@ +diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h +--- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100 ++++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100 +@@ -81,8 +81,8 @@ + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR + # define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_FILE "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # else + # define X509_CERT_AREA "SSLROOT:[000000]" diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch new file mode 100644 index 000000000000..813c6bdf44ab --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch @@ -0,0 +1,13 @@ +diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h +--- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100 ++++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100 +@@ -81,8 +81,8 @@ + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR + # define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_FILE "/etc/ssl/certs/ca-certificates.crt" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # else + # define X509_CERT_AREA "SSLROOT:[000000]" diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch b/nixpkgs/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch new file mode 100644 index 000000000000..b0e37e325611 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch @@ -0,0 +1,56 @@ +From cef404f1e7a598166cbc2fd2e0048f7e2d752ad5 Mon Sep 17 00:00:00 2001 +From: David Carlier <devnexen@gmail.com> +Date: Tue, 24 Aug 2021 22:40:14 +0100 +Subject: [PATCH] Darwin platform allows to build on releases before + Yosemite/ios 8. + +issue #16407 #16408 +--- + crypto/rand/rand_unix.c | 5 +---- + include/crypto/rand.h | 10 ++++++++++ + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c +index 43f1069d151d..0f4525106af7 100644 +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -34,9 +34,6 @@ + #if defined(__OpenBSD__) + # include <sys/param.h> + #endif +-#if defined(__APPLE__) +-# include <CommonCrypto/CommonRandom.h> +-#endif + + #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) + # include <sys/types.h> +@@ -381,7 +378,7 @@ static ssize_t syscall_random(void *buf, size_t buflen) + if (errno != ENOSYS) + return -1; + } +-# elif defined(__APPLE__) ++# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) + if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) + return (ssize_t)buflen; + +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 5350d3a93119..674f840fd13c 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -20,6 +20,16 @@ + + # include <openssl/rand.h> + ++# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) ++# include <Availability.h> ++# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ ++ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) ++# define OPENSSL_APPLE_CRYPTO_RANDOM 1 ++# include <CommonCrypto/CommonCryptoError.h> ++# include <CommonCrypto/CommonRandom.h> ++# endif ++# endif ++ + /* forward declaration */ + typedef struct rand_pool_st RAND_POOL; + diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..9e871cfb1d31 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 244512c935..f0b70d7ea1 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -46,7 +46,9 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx, file, + X509_FILETYPE_PEM) != 0); diff --git a/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..e7090f49db6a --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 37d73ca84c..e328896234 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM, + libctx, propq) != 0); diff --git a/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch b/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch new file mode 100644 index 000000000000..baf162e88d09 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch @@ -0,0 +1,22 @@ +diff --git a/Configure b/Configure +index f0ad787bc4..a48d2008c6 100755 +--- a/Configure ++++ b/Configure +@@ -1688,17 +1688,6 @@ unless ($disabled{devcryptoeng}) { + unless ($disabled{ktls}) { + $config{ktls}=""; + if ($target =~ m/^linux/) { +- my $usr = "/usr/$config{cross_compile_prefix}"; +- chop($usr); +- if ($config{cross_compile_prefix} eq "") { +- $usr = "/usr"; +- } +- my $minver = (4 << 16) + (13 << 8) + 0; +- my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`); +- +- if ($verstr[2] < $minver) { +- disable('too-old-kernel', 'ktls'); +- } + } elsif ($target =~ m/^BSD/) { + my $cc = $config{CROSS_COMPILE}.$config{CC}; + system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1"); diff --git a/nixpkgs/pkgs/development/libraries/openssl/chacha.nix b/nixpkgs/pkgs/development/libraries/openssl/chacha.nix new file mode 100644 index 000000000000..bae3e53f441f --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/chacha.nix @@ -0,0 +1,82 @@ +{ lib, stdenv, fetchFromGitHub, perl, zlib +, withCryptodev ? false, cryptodev +}: + +with lib; +stdenv.mkDerivation { + pname = "openssl-chacha"; + version = "2016-08-22"; + + src = fetchFromGitHub { + owner = "PeterMosmans"; + repo = "openssl"; + rev = "293717318e903b95f4d7e83a98a087282f37efc3"; + sha256 = "134j3anjnj2q99xsd8d47bwvjp73qkdsimdd9riyjxa3hd8ysr00"; + }; + + outputs = [ "bin" "dev" "out" "man" ]; + setOutputFlags = false; + + nativeBuildInputs = [ perl zlib ]; + buildInputs = lib.optional withCryptodev cryptodev; + + configureScript = "./config"; + + configureFlags = [ + "zlib" + "shared" + "experimental-jpake" + "enable-md2" + "enable-rc5" + "enable-rfc3779" + "enable-gost" + "--libdir=lib" + "--openssldir=etc/ssl" + ] ++ lib.optionals withCryptodev [ + "-DHAVE_CRYPTODEV" + "-DUSE_CRYPTODEV_DIGESTS" + ]; + + makeFlags = [ + "MANDIR=$(man)/share/man" + ]; + + # Parallel building is broken in OpenSSL. + enableParallelBuilding = false; + + postInstall = '' + # If we're building dynamic libraries, then don't install static + # libraries. + if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then + rm "$out/lib/"*.a + fi + + mkdir -p $bin + mv $out/bin $bin/ + + mkdir $dev + mv $out/include $dev/ + + # remove dependency on Perl at runtime + rm -r $out/etc/ssl/misc + + rmdir $out/etc/ssl/{certs,private} + ''; + + postFixup = '' + # Check to make sure we don't depend on perl + if grep -r '${perl}' $out; then + echo "Found an erroneous dependency on perl ^^^" >&2 + exit 1 + fi + ''; + + meta = { + homepage = "https://www.openssl.org/"; + description = "A cryptographic library that implements the SSL and TLS protocols"; + platforms = [ "x86_64-linux" ]; + maintainers = [ lib.maintainers.cstrahan ]; + license = licenses.openssl; + priority = 10; # resolves collision with ‘man-pages’ + }; +} diff --git a/nixpkgs/pkgs/development/libraries/openssl/default.nix b/nixpkgs/pkgs/development/libraries/openssl/default.nix new file mode 100644 index 000000000000..390227cfe95c --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/default.nix @@ -0,0 +1,224 @@ +{ lib, stdenv, fetchurl, buildPackages, perl, coreutils +, withCryptodev ? false, cryptodev +, enableSSL2 ? false +, enableSSL3 ? false +, static ? stdenv.hostPlatform.isStatic +# Used to avoid cross compiling perl, for example, in darwin bootstrap tools. +# This will cause c_rehash to refer to perl via the environment, but otherwise +# will produce a perfectly functional openssl binary and library. +, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform +}: + +# Note: this package is used for bootstrapping fetchurl, and thus +# cannot use fetchpatch! All mutable patches (generated by GitHub or +# cgit) that are needed here should be included directly in Nixpkgs as +# files. + +let + common = { version, sha256, patches ? [], withDocs ? false, extraMeta ? {} }: + stdenv.mkDerivation rec { + pname = "openssl"; + inherit version; + + src = fetchurl { + url = "https://www.openssl.org/source/${pname}-${version}.tar.gz"; + inherit sha256; + }; + + inherit patches; + + postPatch = '' + patchShebangs Configure + '' + lib.optionalString (lib.versionOlder version "1.1.0") '' + patchShebangs test/* + for a in test/t* ; do + substituteInPlace "$a" \ + --replace /bin/rm rm + done + '' + # config is a configure script which is not installed. + + lib.optionalString (lib.versionAtLeast version "1.1.1") '' + substituteInPlace config --replace '/usr/bin/env' '${buildPackages.coreutils}/bin/env' + '' + lib.optionalString (lib.versionAtLeast version "1.1.0" && stdenv.hostPlatform.isMusl) '' + substituteInPlace crypto/async/arch/async_posix.h \ + --replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \ + '!defined(__ANDROID__) && !defined(__OpenBSD__) && 0' + ''; + + outputs = [ "bin" "dev" "out" "man" ] ++ lib.optional withDocs "doc"; + setOutputFlags = false; + separateDebugInfo = + !stdenv.hostPlatform.isDarwin && + !(stdenv.hostPlatform.useLLVM or false) && + stdenv.cc.isGNU; + + nativeBuildInputs = [ perl ]; + buildInputs = lib.optional withCryptodev cryptodev + # perl is included to allow the interpreter path fixup hook to set the + # correct interpreter in c_rehash. + ++ lib.optional withPerl perl; + + # TODO(@Ericson2314): Improve with mass rebuild + configurePlatforms = []; + configureScript = { + armv5tel-linux = "./Configure linux-armv4 -march=armv5te"; + armv6l-linux = "./Configure linux-armv4 -march=armv6"; + armv7l-linux = "./Configure linux-armv4 -march=armv7-a"; + x86_64-darwin = "./Configure darwin64-x86_64-cc"; + aarch64-darwin = "./Configure darwin64-arm64-cc"; + x86_64-linux = "./Configure linux-x86_64"; + x86_64-solaris = "./Configure solaris64-x86_64-gcc"; + riscv64-linux = "./Configure linux64-riscv64"; + }.${stdenv.hostPlatform.system} or ( + if stdenv.hostPlatform == stdenv.buildPlatform + then "./config" + else if stdenv.hostPlatform.isBSD && stdenv.hostPlatform.isx86_64 + then "./Configure BSD-x86_64" + else if stdenv.hostPlatform.isBSD && stdenv.hostPlatform.isx86_32 + then "./Configure BSD-x86" + lib.optionalString (stdenv.hostPlatform.parsed.kernel.execFormat.name == "elf") "-elf" + else if stdenv.hostPlatform.isBSD + then "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}" + else if stdenv.hostPlatform.isMinGW + then "./Configure mingw${lib.optionalString + (stdenv.hostPlatform.parsed.cpu.bits != 32) + (toString stdenv.hostPlatform.parsed.cpu.bits)}" + else if stdenv.hostPlatform.isLinux + then "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}" + else if stdenv.hostPlatform.isiOS + then "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross" + else + throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}" + ); + + # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags. + dontAddStaticConfigureFlags = true; + configureFlags = [ + "shared" # "shared" builds both shared and static libraries + "--libdir=lib" + "--openssldir=etc/ssl" + ] ++ lib.optionals withCryptodev [ + "-DHAVE_CRYPTODEV" + "-DUSE_CRYPTODEV_DIGESTS" + ] ++ lib.optional enableSSL2 "enable-ssl2" + ++ lib.optional enableSSL3 "enable-ssl3" + ++ lib.optional (lib.versionAtLeast version "3.0.0") "enable-ktls" + ++ lib.optional (lib.versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng" + # OpenSSL needs a specific `no-shared` configure flag. + # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options + # for a comprehensive list of configuration options. + ++ lib.optional (lib.versionAtLeast version "1.1.0" && static) "no-shared"; + + makeFlags = [ + "MANDIR=$(man)/share/man" + # This avoids conflicts between man pages of openssl subcommands (for + # example 'ts' and 'err') man pages and their equivalent top-level + # command in other packages (respectively man-pages and moreutils). + # This is done in ubuntu and archlinux, and possiibly many other distros. + "MANSUFFIX=ssl" + ]; + + enableParallelBuilding = true; + + postInstall = + lib.optionalString (!static) '' + # If we're building dynamic libraries, then don't install static + # libraries. + if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then + rm "$out/lib/"*.a + fi + '' + lib.optionalString (!stdenv.hostPlatform.isWindows) + # Fix bin/c_rehash's perl interpreter line + # + # - openssl 1_0_2: embeds a reference to buildPackages.perl + # - openssl 1_1: emits "#!/usr/bin/env perl" + # + # In the case of openssl_1_0_2, reset the invalid reference and let the + # interpreter hook take care of it. + # + # In both cases, if withPerl = false, the intepreter line is expected be + # "#!/usr/bin/env perl" + '' + substituteInPlace $out/bin/c_rehash --replace ${buildPackages.perl}/bin/perl "/usr/bin/env perl" + '' + '' + mkdir -p $bin + mv $out/bin $bin/bin + + mkdir $dev + mv $out/include $dev/ + + # remove dependency on Perl at runtime + rm -r $out/etc/ssl/misc + + rmdir $out/etc/ssl/{certs,private} + ''; + + postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) '' + # Check to make sure the main output doesn't depend on perl + if grep -r '${buildPackages.perl}' $out; then + echo "Found an erroneous dependency on perl ^^^" >&2 + exit 1 + fi + ''; + + meta = with lib; { + homepage = "https://www.openssl.org/"; + description = "A cryptographic library that implements the SSL and TLS protocols"; + license = licenses.openssl; + platforms = platforms.all; + } // extraMeta; + }; + +in { + + openssl_1_0_2 = common { + version = "1.0.2u"; + sha256 = "ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16"; + patches = [ + ./1.0.2/nix-ssl-cert-file.patch + + (if stdenv.hostPlatform.isDarwin + then ./1.0.2/use-etc-ssl-certs-darwin.patch + else ./1.0.2/use-etc-ssl-certs.patch) + ] ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-darwin") [ + ./1.0.2/darwin64-arm64.patch + ]; + extraMeta.knownVulnerabilities = [ "Support for OpenSSL 1.0.2 ended with 2019." ]; + }; + + openssl_1_1 = common rec { + version = "1.1.1m"; + sha256 = "sha256-+JGZvosjykX8fLnx2NPuZzEjGChq0DD1MWrKZGLbbJY="; + patches = [ + ./1.1/nix-ssl-cert-file.patch + + (if stdenv.hostPlatform.isDarwin + then ./use-etc-ssl-certs-darwin.patch + else ./use-etc-ssl-certs.patch) + ] ++ lib.optionals (stdenv.isDarwin && (builtins.substring 5 5 version) < "m") [ + ./1.1/macos-yosemite-compat.patch + ]; + withDocs = true; + }; + + openssl_3_0 = common { + version = "3.0.1"; + sha256 = "sha256-wxGthTNTvOeW7a0BqGLFCopYf2Ln4hAO9GWrU+ybBtE="; + patches = [ + ./3.0/nix-ssl-cert-file.patch + + # openssl will only compile in KTLS if the current kernel supports it. + # This patch disables build-time detection. + ./3.0/openssl-disable-kernel-detection.patch + + (if stdenv.hostPlatform.isDarwin + then ./use-etc-ssl-certs-darwin.patch + else ./use-etc-ssl-certs.patch) + ]; + + withDocs = true; + + extraMeta = with lib; { + license = licenses.asl20; + }; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch new file mode 100644 index 000000000000..2c98ccfa7ed0 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch @@ -0,0 +1,13 @@ +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 329ef62..9a8df64 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM); + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR + # define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_FILE "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf" + # else diff --git a/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch new file mode 100644 index 000000000000..67d199681f96 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch @@ -0,0 +1,13 @@ +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 329ef62..9a8df64 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM); + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR + # define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_FILE "/etc/ssl/certs/ca-certificates.crt" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf" + # else |