mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
libressl: add 4.3.1, remove unsupported 4.1.2, add myself as maintainer (#515600)
This commit is contained in:
commit
4e8be57041
2 changed files with 44 additions and 19 deletions
|
|
@ -23,6 +23,9 @@ let
|
|||
pname = "libressl";
|
||||
inherit version;
|
||||
|
||||
strictDeps = true;
|
||||
__structuredAttrs = true;
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz";
|
||||
inherit hash;
|
||||
|
|
@ -58,6 +61,22 @@ let
|
|||
|
||||
doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
|
||||
preCheck = ''
|
||||
# Bail if any shared object has executable stack enabled. This can
|
||||
# happen when an object produced from an assmbly file in libcrypto is
|
||||
# missing a .note.GNU-stack section. An executable stack is dangerous
|
||||
# and unintentional, but without this check the derivation will build
|
||||
# and even run if W^X is not enforced; it would fail dangerously.
|
||||
objdump -p **/*.so | awk '
|
||||
BEGIN { res = 0 }
|
||||
/file format/ { file = $1 }
|
||||
/STACK/ { stack = 1; next }
|
||||
stack {
|
||||
if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 }
|
||||
stack = 0
|
||||
}
|
||||
END { exit res }
|
||||
'
|
||||
|
||||
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
|
||||
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
|
||||
'';
|
||||
|
|
@ -96,6 +115,7 @@ let
|
|||
maintainers = with lib.maintainers; [
|
||||
thoughtpolice
|
||||
fpletz
|
||||
ruuda
|
||||
];
|
||||
inherit knownVulnerabilities;
|
||||
|
||||
|
|
@ -111,32 +131,17 @@ let
|
|||
identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version;
|
||||
};
|
||||
};
|
||||
|
||||
# https://github.com/libressl/portable/pull/1206
|
||||
# This got merged in February 2026 and is included as of LibreSSL 4.3.0.
|
||||
common-cmake-install-full-dirs-patch = fetchpatch {
|
||||
url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch";
|
||||
hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM=";
|
||||
};
|
||||
in
|
||||
{
|
||||
libressl_4_1 = generic {
|
||||
version = "4.1.2";
|
||||
hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE=";
|
||||
# Fixes build on loongarch64
|
||||
# https://github.com/libressl/portable/pull/1184
|
||||
postPatch = ''
|
||||
mkdir -p include/arch/loongarch64
|
||||
cp ${
|
||||
fetchurl {
|
||||
url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h";
|
||||
hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo=";
|
||||
}
|
||||
} include/arch/loongarch64/opensslconf.h
|
||||
'';
|
||||
patches = [
|
||||
common-cmake-install-full-dirs-patch
|
||||
];
|
||||
};
|
||||
|
||||
# 4.2 was released October 2025 and will become unsupported on October 22,
|
||||
# 2026, one year after the release of OpenBSD 7.8.
|
||||
libressl_4_2 = generic {
|
||||
version = "4.2.1";
|
||||
hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws=";
|
||||
|
|
@ -144,4 +149,24 @@ in
|
|||
common-cmake-install-full-dirs-patch
|
||||
];
|
||||
};
|
||||
|
||||
# 4.3 was released April 2026 and will become unsupported one year after the
|
||||
# release of OpenBSD 7.9.
|
||||
libressl_4_3 = generic {
|
||||
version = "4.3.1";
|
||||
hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA=";
|
||||
patches = [
|
||||
# Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL
|
||||
# 4.3 started requiring executable stack because some objects were missing
|
||||
# a .note.GNU-stack section; will probably be included in the next release.
|
||||
(fetchpatch {
|
||||
url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch";
|
||||
hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I=";
|
||||
# This patch is written to be applied with -p0, with no leading path
|
||||
# component, but Nix applies with -p1 by default, so we add it to not
|
||||
# break compatibility with how other patches must be applied.
|
||||
decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'";
|
||||
})
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6953,8 +6953,8 @@ with pkgs;
|
|||
zunclient = with python313Packages; toPythonApplication python-zunclient;
|
||||
|
||||
inherit (callPackages ../by-name/li/libressl { })
|
||||
libressl_4_1
|
||||
libressl_4_2
|
||||
libressl_4_3
|
||||
;
|
||||
|
||||
openssl = openssl_3_6;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue