1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
{ stdenv
, fetchurl
, lib
, cmake
, cacert
, fetchpatch
, buildShared ? !stdenv.hostPlatform.isStatic
}:
let
ldLibPathEnvName = if stdenv.isDarwin
then "DYLD_LIBRARY_PATH"
else "LD_LIBRARY_PATH";
generic =
{ version
, hash
, patches ? []
, knownVulnerabilities ? []
}: stdenv.mkDerivation rec
{
pname = "libressl";
inherit version;
src = fetchurl {
url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz";
inherit hash;
};
nativeBuildInputs = [ cmake ];
cmakeFlags = [
"-DENABLE_NC=ON"
# Ensure that the output libraries do not require an executable stack.
# Without this define, assembly files in libcrypto do not include a
# .note.GNU-stack section, and if that section is missing from any object,
# the linker will make the stack executable.
"-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
# libressl will append this to the regular prefix for libdir
"-DCMAKE_INSTALL_LIBDIR=lib"
] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON";
# The autoconf build is broken as of 2.9.1, resulting in the following error:
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
# Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
# removing ./configure pre-config.
preConfigure = ''
rm configure
substituteInPlace CMakeLists.txt \
--replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \
--replace 'libdir \''${exec_prefix}' 'libdir \''${prefix}'
'';
inherit patches;
# Since 2.9.x the default location can't be configured from the build using
# DEFAULT_CA_FILE anymore, instead we have to patch the default value.
postPatch = ''
patchShebangs tests/
${lib.optionalString (lib.versionAtLeast version "2.9.2") ''
substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
''}
'';
doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
preCheck = ''
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
'';
postCheck = ''
export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
'';
outputs = [ "bin" "dev" "out" "man" "nc" ];
postFixup = ''
moveToOutput "bin/nc" "$nc"
moveToOutput "bin/openssl" "$bin"
moveToOutput "bin/ocspcheck" "$bin"
moveToOutput "share/man/man1/nc.1.gz" "$nc"
'';
meta = with lib; {
description = "Free TLS/SSL implementation";
homepage = "https://www.libressl.org";
license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ];
platforms = platforms.all;
maintainers = with maintainers; [ thoughtpolice fpletz ];
inherit knownVulnerabilities;
# OpenBSD believes that PowerPC should be always-big-endian;
# this assumption seems to have propagated into recent
# releases of libressl. Since libressl is aliased to many
# other packages (e.g. netcat) it's important to fail early
# here, otherwise it's very difficult to figure out why
# libressl is getting dragged into a failing build.
badPlatforms = with lib.systems.inspect.patterns;
[ (lib.recursiveUpdate isPower64 isLittleEndian) ];
};
};
in {
libressl_3_6 = generic {
version = "3.6.3";
hash = "sha256-h7G7426e7I0K5fBMg9NrLFsOWBeEx+sIFwJe0p6t6jc=";
};
libressl_3_7 = generic {
version = "3.7.3";
hash = "sha256-eUjIVqkMglvXJotvhWdKjc0lS65C4iF4GyTj+NwzXbM=";
};
libressl_3_8 = generic {
version = "3.8.4";
hash = "sha256-wM75z+F0rDZs5IL1Qv3bB3Ief6DK+s40tJqHIPo3/n0=";
};
libressl_3_9 = generic {
version = "3.9.1";
hash = "sha256-baC5VGlffuYrA/ZCAKik8Cr5Nxe2DM4Eq2yN8mLAelE=";
};
}
|