2021-09-26 12:20:02 +01:00
|
|
|
{ stdenv
|
|
|
|
, fetchurl
|
|
|
|
, lib
|
|
|
|
, cmake
|
|
|
|
, cacert
|
2021-10-03 16:00:33 +01:00
|
|
|
, fetchpatch
|
2021-01-03 21:40:14 +00:00
|
|
|
, buildShared ? !stdenv.hostPlatform.isStatic
|
|
|
|
}:
|
2017-07-20 18:31:08 +01:00
|
|
|
|
|
|
|
let
|
2021-10-03 15:59:46 +01:00
|
|
|
ldLibPathEnvName = if stdenv.isDarwin
|
|
|
|
then "DYLD_LIBRARY_PATH"
|
|
|
|
else "LD_LIBRARY_PATH";
|
2017-07-20 18:31:08 +01:00
|
|
|
|
2019-09-19 17:35:55 +01:00
|
|
|
generic = { version, sha256, patches ? [] }: stdenv.mkDerivation rec {
|
2019-08-15 13:41:18 +01:00
|
|
|
pname = "libressl";
|
2017-07-20 18:31:08 +01:00
|
|
|
inherit version;
|
|
|
|
|
|
|
|
src = fetchurl {
|
2019-08-15 13:41:18 +01:00
|
|
|
url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz";
|
2017-07-20 18:31:08 +01:00
|
|
|
inherit sha256;
|
|
|
|
};
|
|
|
|
|
2019-05-04 14:55:14 +01:00
|
|
|
nativeBuildInputs = [ cmake ];
|
|
|
|
|
2019-08-20 23:07:38 +01:00
|
|
|
cmakeFlags = [
|
|
|
|
"-DENABLE_NC=ON"
|
|
|
|
# Ensure that the output libraries do not require an executable stack.
|
|
|
|
# Without this define, assembly files in libcrypto do not include a
|
|
|
|
# .note.GNU-stack section, and if that section is missing from any object,
|
|
|
|
# the linker will make the stack executable.
|
|
|
|
"-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
|
2019-10-14 10:28:33 +01:00
|
|
|
# libressl will append this to the regular prefix for libdir
|
|
|
|
"-DCMAKE_INSTALL_LIBDIR=lib"
|
2019-09-19 17:37:34 +01:00
|
|
|
] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON";
|
2019-05-04 14:55:14 +01:00
|
|
|
|
|
|
|
# The autoconf build is broken as of 2.9.1, resulting in the following error:
|
|
|
|
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
|
|
|
|
# Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
|
|
|
|
# removing ./configure pre-config.
|
|
|
|
preConfigure = ''
|
|
|
|
rm configure
|
|
|
|
'';
|
2018-04-28 01:33:05 +01:00
|
|
|
|
2019-09-19 17:35:55 +01:00
|
|
|
inherit patches;
|
|
|
|
|
2019-09-09 23:01:59 +01:00
|
|
|
# Since 2.9.x the default location can't be configured from the build using
|
|
|
|
# DEFAULT_CA_FILE anymore, instead we have to patch the default value.
|
|
|
|
postPatch = lib.optionalString (lib.versionAtLeast version "2.9.2") ''
|
|
|
|
substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
|
|
|
|
'';
|
|
|
|
|
2021-10-03 15:59:46 +01:00
|
|
|
doCheck = true;
|
|
|
|
preCheck = ''
|
|
|
|
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
|
|
|
|
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
|
|
|
|
'';
|
|
|
|
postCheck = ''
|
|
|
|
export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
|
|
|
|
'';
|
|
|
|
|
2018-04-29 20:46:54 +01:00
|
|
|
outputs = [ "bin" "dev" "out" "man" "nc" ];
|
|
|
|
|
|
|
|
postFixup = ''
|
|
|
|
moveToOutput "bin/nc" "$nc"
|
2019-05-04 14:55:14 +01:00
|
|
|
moveToOutput "bin/openssl" "$bin"
|
|
|
|
moveToOutput "bin/ocspcheck" "$bin"
|
2018-04-29 21:14:34 +01:00
|
|
|
moveToOutput "share/man/man1/nc.1${lib.optionalString (dontGzipMan==null) ".gz"}" "$nc"
|
2018-04-29 20:46:54 +01:00
|
|
|
'';
|
2017-07-20 18:31:08 +01:00
|
|
|
|
|
|
|
dontGzipMan = if stdenv.isDarwin then true else null; # not sure what's wrong
|
|
|
|
|
2018-04-29 20:46:54 +01:00
|
|
|
meta = with lib; {
|
2017-07-20 18:31:08 +01:00
|
|
|
description = "Free TLS/SSL implementation";
|
2018-05-13 14:26:34 +01:00
|
|
|
homepage = "https://www.libressl.org";
|
2019-06-24 09:16:02 +01:00
|
|
|
license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ];
|
2017-07-20 18:31:08 +01:00
|
|
|
platforms = platforms.all;
|
2019-08-20 18:36:05 +01:00
|
|
|
maintainers = with maintainers; [ thoughtpolice fpletz ];
|
2017-07-20 18:31:08 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
in {
|
2020-10-23 21:21:19 +01:00
|
|
|
libressl_3_2 = generic {
|
|
|
|
version = "3.2.5";
|
|
|
|
sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr";
|
2021-10-03 16:00:33 +01:00
|
|
|
patches = [
|
|
|
|
./CVE-2021-41581.patch
|
|
|
|
];
|
2020-05-19 20:44:04 +01:00
|
|
|
};
|
2021-09-26 12:20:02 +01:00
|
|
|
libressl_3_4 = generic {
|
|
|
|
version = "3.4.0";
|
|
|
|
sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5";
|
2021-10-03 16:00:33 +01:00
|
|
|
patches = [
|
|
|
|
./CVE-2021-41581.patch
|
|
|
|
];
|
2021-09-26 12:20:02 +01:00
|
|
|
};
|
2017-07-20 18:31:08 +01:00
|
|
|
}
|