libressl: add 4.3.1, remove unsupported 4.1.2, add myself as maintainer (#515600)

This commit is contained in:
Franz Pletz 2026-05-17 04:50:56 +00:00 committed by GitHub
commit 4e8be57041
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 44 additions and 19 deletions

View file

@ -23,6 +23,9 @@ let
pname = "libressl";
inherit version;
strictDeps = true;
__structuredAttrs = true;
src = fetchurl {
url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz";
inherit hash;
@ -58,6 +61,22 @@ let
doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
preCheck = ''
# Bail if any shared object has executable stack enabled. This can
# happen when an object produced from an assmbly file in libcrypto is
# missing a .note.GNU-stack section. An executable stack is dangerous
# and unintentional, but without this check the derivation will build
# and even run if W^X is not enforced; it would fail dangerously.
objdump -p **/*.so | awk '
BEGIN { res = 0 }
/file format/ { file = $1 }
/STACK/ { stack = 1; next }
stack {
if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 }
stack = 0
}
END { exit res }
'
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
'';
@ -96,6 +115,7 @@ let
maintainers = with lib.maintainers; [
thoughtpolice
fpletz
ruuda
];
inherit knownVulnerabilities;
@ -111,32 +131,17 @@ let
identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version;
};
};
# https://github.com/libressl/portable/pull/1206
# This got merged in February 2026 and is included as of LibreSSL 4.3.0.
common-cmake-install-full-dirs-patch = fetchpatch {
url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch";
hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM=";
};
in
{
libressl_4_1 = generic {
version = "4.1.2";
hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE=";
# Fixes build on loongarch64
# https://github.com/libressl/portable/pull/1184
postPatch = ''
mkdir -p include/arch/loongarch64
cp ${
fetchurl {
url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h";
hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo=";
}
} include/arch/loongarch64/opensslconf.h
'';
patches = [
common-cmake-install-full-dirs-patch
];
};
# 4.2 was released October 2025 and will become unsupported on October 22,
# 2026, one year after the release of OpenBSD 7.8.
libressl_4_2 = generic {
version = "4.2.1";
hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws=";
@ -144,4 +149,24 @@ in
common-cmake-install-full-dirs-patch
];
};
# 4.3 was released April 2026 and will become unsupported one year after the
# release of OpenBSD 7.9.
libressl_4_3 = generic {
version = "4.3.1";
hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA=";
patches = [
# Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL
# 4.3 started requiring executable stack because some objects were missing
# a .note.GNU-stack section; will probably be included in the next release.
(fetchpatch {
url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch";
hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I=";
# This patch is written to be applied with -p0, with no leading path
# component, but Nix applies with -p1 by default, so we add it to not
# break compatibility with how other patches must be applied.
decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'";
})
];
};
}

View file

@ -6953,8 +6953,8 @@ with pkgs;
zunclient = with python313Packages; toPythonApplication python-zunclient;
inherit (callPackages ../by-name/li/libressl { })
libressl_4_1
libressl_4_2
libressl_4_3
;
openssl = openssl_3_6;