movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/pkgs/development/libraries/openssl/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

399 lines
15 KiB
Nix
Raw Normal View History

openssl: remove run-time dependency of perl due to c_rehash Replaces perl based c_rehash script with shell script wrapping `openssl rehash` with the same functionality. Fixes: #19965 Supersedes: #156776, #83446 Possibly related to: #157093, #82924
2023-03-03 09:00:16 +00:00
{
lib,
stdenv,
fetchurl,
buildPackages,
perl,
coreutils,
writeShellScript,
openssl: use makeBinaryWrapper instead of makeShellWrapper This changes openssl to use makeBinaryWrapper since makeWrapper uses non-overridable runtimeShell that causes infinite recursion. That is, fetchurl in pkgs/top-level/all-packages.nix is bootstrapped by overriding dependencies to use stdenv.fetchurlBoot.
2024-09-01 00:46:26 +03:00
makeBinaryWrapper,
openssl: fix `cryptodev` fallout from d836b811cb533c4cacba9a932d4906cbb41abc7c
2018-11-18 08:01:02 +00:00
withCryptodev ? false,
cryptodev,
sslscan: enable TLS compression check
2022-09-08 14:06:02 +02:00
withZlib ? false,
zlib,
openssl: cc-wrapper can be relied on to export these env vars
2017-06-28 11:57:01 -04:00
enableSSL2 ? false,
sslscan: enabling scanning for sslv3
2020-04-13 21:23:22 +02:00
enableSSL3 ? false,
openssl: expose 'enable-md2' option needed e.g. to build `onlyoffice-documentserver` from source
2024-08-28 09:45:56 +02:00
enableMD2 ? false,
openssl: allow disabling ktls This allows disabling ktls on demand. E.g. for platforms where building with ktls fails. Co-authored-by: John Ericson <git@JohnEricson.me>
2023-02-18 13:22:36 +00:00
enableKTLS ? stdenv.hostPlatform.isLinux,
treewide: Start to break up static overlay We can use use `stdenv.hostPlatform.isStatic` instead, and move the logic per package. The least opionated benefit of this is that it makes it much easier to replace packages with modified ones, as there is no longer any issue of overlay order. CC @FRidh @matthewbauer
2020-12-20 06:11:26 +00:00
static ? stdenv.hostPlatform.isStatic,
openssl_legacy: init openssl_3, but with a openssl.cnf that enables legacy ciphers this way we can migrate away from openssl_1_1, while not breaking applications relying on deprecated stuff
2022-11-21 00:41:11 +01:00
# path to openssl.cnf file. will be placed in $etc/etc/ssl/openssl.cnf to replace the default
conf ? null,
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
removeReferencesTo,
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
testers,
openssl: cc-wrapper can be relied on to export these env vars
2017-06-28 11:57:01 -04:00
}:
* Remove calls to fail(). svn path=/nixpkgs/branches/stdenv-updates/; revision=11690
2008-04-23 07:34:20 +00:00
treewide: add warning comment to “boot” packages This adds a warning to the top of each “boot” package that reads: Note: this package is used for bootstrapping fetchurl, and thus cannot use fetchpatch! All mutable patches (generated by GitHub or cgit) that are needed here should be included directly in Nixpkgs as files. This makes it clear to maintainer that they may need to treat this package a little differently than others. Importantly, we can’t use fetchpatch here due to using <nix/fetchurl.nix>. To avoid having stale hashes, we need to include patches that are subject to changing overtime (for instance, gitweb’s patches contain a version number at the bottom).
2020-06-26 16:44:45 -04:00
# Note: this package is used for bootstrapping fetchurl, and thus
# cannot use fetchpatch! All mutable patches (generated by GitHub or
# cgit) that are needed here should be included directly in Nixpkgs as
# files.
Trying to make nixUnstable cross-build. It fails because it builds bin2c for the host system, instead of the build system. I will wait for a fix upstream. svn path=/nixpkgs/trunk/; revision=20445
2010-03-05 23:22:36 +00:00
let
openssl: use hash, add thillux as maintainer Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-07-25 17:31:27 +02:00
common =
{
version,
hash,
patches ? [ ],
withDocs ? false,
extraMeta ? { },
}:
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
stdenv.mkDerivation (finalAttrs: {
treewide: name -> pname
2019-08-13 21:52:01 +00:00
pname = "openssl";
inherit version;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
src = fetchurl {
openssl: switch to new download URL scheme (Github releases) OpenSSL used to provide their software downloads on openssl.org. Now they use links to Github releases. OpenSSL 1.1.1w is also available at Github, but with a small difference in the URL scheme. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-08-22 11:59:03 +02:00
url =
if lib.versionOlder version "3.0" then
let
versionFixed = builtins.replaceStrings [ "." ] [ "_" ] version;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
in
openssl: switch to new download URL scheme (Github releases) OpenSSL used to provide their software downloads on openssl.org. Now they use links to Github releases. OpenSSL 1.1.1w is also available at Github, but with a small difference in the URL scheme. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-08-22 11:59:03 +02:00
"https://github.com/openssl/openssl/releases/download/OpenSSL_${versionFixed}/openssl-${version}.tar.gz"
openssl: fix tests, also cleanup
2018-08-08 19:00:07 +00:00
else
openssl: remove `with lib` See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-15 16:06:53 +09:00
"https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
openssl: use hash, add thillux as maintainer Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-07-25 17:31:27 +02:00
inherit hash;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
};
openssl: remove `with lib` See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-15 16:06:53 +09:00
inherit patches;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: remove `with lib` See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-15 16:06:53 +09:00
postPatch =
''
openssl: correct cross compile for mingw
2021-01-01 21:42:07 +01:00
patchShebangs Configure
openssl: versionAtLeast 1.1.0 -> 1.1.1 we don't have/support 1.1.0 anymore, so 1.1.1 is the new minimum
2022-08-01 17:48:17 +02:00
''
+ lib.optionalString (lib.versionOlder version "1.1.1") ''
patchShebangs test/*
for a in test/t* ; do
openssl: fix tests, also cleanup
2018-08-08 19:00:07 +00:00
substituteInPlace "$a" \
--replace /bin/rm rm
done
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
''
# config is a configure script which is not installed.
+ lib.optionalString (lib.versionAtLeast version "1.1.1") ''
substituteInPlace config --replace '/usr/bin/env' '${buildPackages.coreutils}/bin/env'
openssl: fix tests, also cleanup
2018-08-08 19:00:07 +00:00
''
openssl: use makeBinaryWrapper instead of makeShellWrapper This changes openssl to use makeBinaryWrapper since makeWrapper uses non-overridable runtimeShell that causes infinite recursion. That is, fetchurl in pkgs/top-level/all-packages.nix is bootstrapped by overriding dependencies to use stdenv.fetchurlBoot.
2024-09-01 00:46:26 +03:00
+ lib.optionalString (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isMusl) ''
substituteInPlace crypto/async/arch/async_posix.h \
openssl: fix tests, also cleanup
2018-08-08 19:00:07 +00:00
--replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \
openssl: use makeBinaryWrapper instead of makeShellWrapper This changes openssl to use makeBinaryWrapper since makeWrapper uses non-overridable runtimeShell that causes infinite recursion. That is, fetchurl in pkgs/top-level/all-packages.nix is bootstrapped by overriding dependencies to use stdenv.fetchurlBoot.
2024-09-01 00:46:26 +03:00
'!defined(__ANDROID__) && !defined(__OpenBSD__) && 0'
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
openssl: fix static cross compilation
2022-09-20 16:25:47 +02:00
# Move ENGINESDIR into OPENSSLDIR for static builds, in order to move
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# it to the separate etc output.
openssl: fix static cross compilation
2022-09-20 16:25:47 +02:00
+ lib.optionalString static ''
openssl: cross compilation without host perl The perl reference is in the interpreter line for c_rehash, so fix that while we're here.
2021-03-11 17:12:41 +09:00
substituteInPlace Configurations/unix-Makefile.tmpl \
--replace 'ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}' \
'ENGINESDIR=$(OPENSSLDIR)/engines-{- $sover_dirname -}'
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
'';
openssl: cross compilation without host perl The perl reference is in the interpreter line for c_rehash, so fix that while we're here.
2021-03-11 17:12:41 +09:00
outputs =
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
[
"bin"
openssl: cross compilation without host perl The perl reference is in the interpreter line for c_rehash, so fix that while we're here.
2021-03-11 17:12:41 +09:00
"dev"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
"out"
lib, openssl: Get rid of openssl.system We compute it on the fly, careful to avoid any mass rebuilds for now.
2018-01-26 20:40:05 -05:00
"man"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
]
lib, openssl: Get rid of openssl.system We compute it on the fly, careful to avoid any mass rebuilds for now.
2018-01-26 20:40:05 -05:00
++ lib.optional withDocs "doc"
# Separate output for the runtime dependencies of the static build.
openssl: fix building for riscv32-linux Prior to 3.2, there's no linux32-riscv32 target, so we use linux-latomic as a best approximation in that case.
2024-09-02 12:18:45 +02:00
# Specifically, move OPENSSLDIR into this output, as its path will be
# compiled into 'libcrypto.a'. This makes it a runtime dependency of
# any package that statically links openssl, so we want to keep that
# output minimal.
++ lib.optional static "etc";
setOutputFlags = false;
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
separateDebugInfo =
openssl: don't create `separateDebugInfo` on android This causes an infinite recursion when evaling tests.cross.gcc.file.aarch64-android
2025-05-10 17:30:44 +02:00
!stdenv.hostPlatform.isDarwin
&& !stdenv.hostPlatform.isAndroid
&& !(stdenv.hostPlatform.useLLVM or false)
&& stdenv.cc.isGNU;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
nativeBuildInputs =
treewide: simplify exec format conditionals
2024-01-07 17:43:33 -08:00
lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
++ [ perl ]
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
++ lib.optionals static [ removeReferencesTo ];
openssl: remove `with lib` See https://github.com/NixOS/nixpkgs/pull/150733/files#r785279764
2022-01-15 16:06:53 +09:00
buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: fix build for microblaze
2024-08-31 16:37:16 +02:00
# TODO(@Ericson2314): Improve with mass rebuild
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
configurePlatforms = [ ];
configureScript =
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
{
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
armv6l-linux = "./Configure linux-armv4 -march=armv6";
treewide: remove redundant quotes
2019-08-13 21:52:01 +00:00
armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
openssl: switch to linux-x86 and linux-x86_64 targets
2019-10-21 01:05:07 +08:00
x86_64-darwin = "./Configure darwin64-x86_64-cc";
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
aarch64-darwin = "./Configure darwin64-arm64-cc";
openssl: switch to linux-x86 and linux-x86_64 targets
2019-10-21 01:05:07 +08:00
x86_64-linux = "./Configure linux-x86_64";
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
x86_64-solaris = "./Configure solaris64-x86_64-gcc";
powerpc64-linux = "./Configure linux-ppc64";
riscv32-linux = "./Configure ${
if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
lib, openssl: Get rid of openssl.system We compute it on the fly, careful to avoid any mass rebuilds for now.
2018-01-26 20:40:05 -05:00
}";
stdenv: introduce dontAddStaticConfigureFlags With removeUnknownConfigureFlags, it's impossible to express a package that needs --enable-static, but will not accept --disable-shared, without overriding the result of removeUnknownConfigureFlags _again_ in pkgs/top-level/static.nix. It would be much better (and more in line with the rest of Nixpkgs) if we encoded changes needed for static builds in package definitions themselves, rather than in an ever-expanding list in static.nix. This is especially true when doing it in static.nix is going to require multiple overrides to express what could be expressed with stdenv options. So as a step in that direction, and to fix the problem described above, here I replace removeUnknownConfigureFlags with a new stdenv option, dontAddStaticConfigureFlags. With this mechanism, a package that needs one but not both of the flags just needs to set dontAddStaticConfigureFlags and then set up configureFlags manually based on stdenv.hostPlatform.isStatic.
2021-06-11 18:42:26 +00:00
riscv64-linux = "./Configure linux64-riscv64";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
}
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
.${stdenv.hostPlatform.system} or (
if stdenv.hostPlatform == stdenv.buildPlatform then
openssl(_3): enable KTLS only on Linux This fixes build on *-darwin.
2022-11-02 09:33:15 +01:00
"./config"
else if stdenv.hostPlatform.isBSD then
if stdenv.hostPlatform.isx86_64 then
"./Configure BSD-x86_64"
openssl: allow disabling ktls This allows disabling ktls on demand. E.g. for platforms where building with ktls fails. Co-authored-by: John Ericson <git@JohnEricson.me>
2023-02-18 13:22:36 +00:00
else if stdenv.hostPlatform.isx86_32 then
openssl: versionAtLeast 1.1.0 -> 1.1.1 we don't have/support 1.1.0 anymore, so 1.1.1 is the new minimum
2022-08-01 17:48:17 +02:00
"./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
pkgsStatic: make OpenSSL 1.1 compile (#77542) * pkgsStatic: make OpenSSL 1.1 compile
2020-01-16 11:02:38 -08:00
else
"./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isMinGW then
"./Configure mingw${
openssl: versionAtLeast 1.1.0 -> 1.1.1 we don't have/support 1.1.0 anymore, so 1.1.1 is the new minimum
2022-08-01 17:48:17 +02:00
lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
toString stdenv.hostPlatform.parsed.cpu.bits
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
)
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
}"
openssl: Fix build on OpenBSD
2024-06-20 19:29:29 -04:00
else if stdenv.hostPlatform.isLinux then
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
if stdenv.hostPlatform.isx86_64 then
"./Configure linux-x86_64"
openssl: Fix build on OpenBSD
2024-06-20 19:29:29 -04:00
else if stdenv.hostPlatform.isMicroBlaze then
"./Configure linux-latomic"
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
else if stdenv.hostPlatform.isMips32 then
openssl: prevent -march= flags from being added on mips Openssl assumes that CFLAGS contains all of the flags that will be passed to the compiler. This assumption fails for nixpkgs due to our cc-wrapper. On mips platforms, openssl scans CFLAGS to see if the user passed a -march flag; if not, it adds its own: if ($target =~ /linux.*-mips/ && !$disabled{asm} && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); $value = '-mips3' if ($target =~ /mips64/); unshift @{$config{cflags}}, $value; unshift @{$config{cxxflags}}, $value if $config{CXX}; } Unfortunately since nixpkgs adds `-march=` in the wrapper, rather than the CFLAGS, openssl can't see it. The result is two conflicting `-march=` flags and a build failure when the user has customized `hostPlatform.gcc.arch`: openssl-mips64el-unknown-linux-gnuabin32> mips64el-unknown-linux-gnuabin32-gcc -I. -Iinclude -Iapps/include -fPIC -pthread -mabi=n32 -mips3 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSLDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/etc/ssl\"" -DENGINESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/engines-3\"" -DMODULESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF apps/lib/libapps-lib-engine.d.tmp -MT apps/lib/libapps-lib-engine.o -c -o apps/lib/libapps-lib-engine.o apps/lib/engine.c cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor make[1]: *** [Makefile:4254: apps/lib/libapps-lib-app_libctx.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: *** [Makefile:4262: apps/lib/libapps-lib-app_params.o] Error 1 make[1]: *** [Makefile:4270: apps/lib/libapps-lib-app_provider.o] Error 1 This commit defeats the perl code above by passing `CFLAGS=-march` to openssl's `./Configure` script.
2023-06-10 13:00:00 -07:00
"./Configure linux-mips32"
else if stdenv.hostPlatform.isMips64n32 then
openssl: clean up configure script decision This also fixes the build for big-endian MIPS systems.
2022-12-02 20:26:55 +01:00
"./Configure linux-mips64"
openssl: prevent -march= flags from being added on mips Openssl assumes that CFLAGS contains all of the flags that will be passed to the compiler. This assumption fails for nixpkgs due to our cc-wrapper. On mips platforms, openssl scans CFLAGS to see if the user passed a -march flag; if not, it adds its own: if ($target =~ /linux.*-mips/ && !$disabled{asm} && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); $value = '-mips3' if ($target =~ /mips64/); unshift @{$config{cflags}}, $value; unshift @{$config{cxxflags}}, $value if $config{CXX}; } Unfortunately since nixpkgs adds `-march=` in the wrapper, rather than the CFLAGS, openssl can't see it. The result is two conflicting `-march=` flags and a build failure when the user has customized `hostPlatform.gcc.arch`: openssl-mips64el-unknown-linux-gnuabin32> mips64el-unknown-linux-gnuabin32-gcc -I. -Iinclude -Iapps/include -fPIC -pthread -mabi=n32 -mips3 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSLDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/etc/ssl\"" -DENGINESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/engines-3\"" -DMODULESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF apps/lib/libapps-lib-engine.d.tmp -MT apps/lib/libapps-lib-engine.o -c -o apps/lib/libapps-lib-engine.o apps/lib/engine.c cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor make[1]: *** [Makefile:4254: apps/lib/libapps-lib-app_libctx.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: *** [Makefile:4262: apps/lib/libapps-lib-app_params.o] Error 1 make[1]: *** [Makefile:4270: apps/lib/libapps-lib-app_provider.o] Error 1 This commit defeats the perl code above by passing `CFLAGS=-march` to openssl's `./Configure` script.
2023-06-10 13:00:00 -07:00
else if stdenv.hostPlatform.isMips64n64 then
"./Configure linux64-mips64"
else
"./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isiOS then
"./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
else
throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
);
openssl: prevent -march= flags from being added on mips Openssl assumes that CFLAGS contains all of the flags that will be passed to the compiler. This assumption fails for nixpkgs due to our cc-wrapper. On mips platforms, openssl scans CFLAGS to see if the user passed a -march flag; if not, it adds its own: if ($target =~ /linux.*-mips/ && !$disabled{asm} && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); $value = '-mips3' if ($target =~ /mips64/); unshift @{$config{cflags}}, $value; unshift @{$config{cxxflags}}, $value if $config{CXX}; } Unfortunately since nixpkgs adds `-march=` in the wrapper, rather than the CFLAGS, openssl can't see it. The result is two conflicting `-march=` flags and a build failure when the user has customized `hostPlatform.gcc.arch`: openssl-mips64el-unknown-linux-gnuabin32> mips64el-unknown-linux-gnuabin32-gcc -I. -Iinclude -Iapps/include -fPIC -pthread -mabi=n32 -mips3 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSLDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/etc/ssl\"" -DENGINESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/engines-3\"" -DMODULESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF apps/lib/libapps-lib-engine.d.tmp -MT apps/lib/libapps-lib-engine.o -c -o apps/lib/libapps-lib-engine.o apps/lib/engine.c cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor make[1]: *** [Makefile:4254: apps/lib/libapps-lib-app_libctx.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: *** [Makefile:4262: apps/lib/libapps-lib-app_params.o] Error 1 make[1]: *** [Makefile:4270: apps/lib/libapps-lib-app_provider.o] Error 1 This commit defeats the perl code above by passing `CFLAGS=-march` to openssl's `./Configure` script.
2023-06-10 13:00:00 -07:00
# OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
dontAddStaticConfigureFlags = true;
openssl: fix man pages collisions (#66317)
2019-08-31 14:23:39 +02:00
configureFlags =
[
"shared" # "shared" builds both shared and static libraries
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
"--libdir=lib"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
(
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
if !static then
openssl: fix man pages collisions (#66317)
2019-08-31 14:23:39 +02:00
"--openssldir=etc/ssl"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
else
openssl: fix man pages collisions (#66317)
2019-08-31 14:23:39 +02:00
# Move OPENSSLDIR to the 'etc' output for static builds. Prepend '/.'
# to the path to make it appear absolute before variable expansion,
# else the 'prefix' would be prepended to it.
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
"--openssldir=/.$(etc)/etc/ssl"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
)
]
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
++ lib.optionals withCryptodev [
openssl: fix static cross compilation
2022-09-20 16:25:47 +02:00
"-DHAVE_CRYPTODEV"
"-DUSE_CRYPTODEV_DIGESTS"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
]
openssl: fix static cross compilation
2022-09-20 16:25:47 +02:00
++ lib.optional enableMD2 "enable-md2"
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
++ lib.optional enableSSL2 "enable-ssl2"
++ lib.optional enableSSL3 "enable-ssl3"
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# We select KTLS here instead of the configure-time detection (which we patch out).
# KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
openssl: remove run-time dependency of perl due to c_rehash Replaces perl based c_rehash script with shell script wrapping `openssl rehash` with the same functionality. Fixes: #19965 Supersedes: #156776, #83446 Possibly related to: #157093, #82924
2023-03-03 09:00:16 +00:00
++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
openssl: Fix windows cross compile It was broken by 18f1be707120b0bb5e2ddfb5058bc8d3c16f18cb
2023-05-03 13:02:49 +12:00
++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
# OpenSSL needs a specific `no-shared` configure flag.
# See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
openssl: remove run-time dependency of perl due to c_rehash Replaces perl based c_rehash script with shell script wrapping `openssl rehash` with the same functionality. Fixes: #19965 Supersedes: #156776, #83446 Possibly related to: #157093, #82924
2023-03-03 09:00:16 +00:00
# for a comprehensive list of configuration options.
++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
# This introduces a reference to the CTLOG_FILE which is undesired when
openssl_3_3: hotfix for cmake builds Signed-off-by: Markus Theil <theil.markus@gmail.com> (cherry picked from commit fd1745b8607349440ff33b113a8b5eb2c5d96c15)
2024-09-23 17:57:58 +02:00
# trying to build binaries statically.
++ lib.optional static "no-ct"
++ lib.optional withZlib "zlib"
# /dev/crypto support has been dropped in OpenBSD 5.7.
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
#
openssl: Fix build on OpenBSD
2024-06-20 19:29:29 -04:00
# OpenBSD's ports does this too,
openssl_3_3: hotfix for cmake builds Signed-off-by: Markus Theil <theil.markus@gmail.com> (cherry picked from commit fd1745b8607349440ff33b113a8b5eb2c5d96c15)
2024-09-23 17:57:58 +02:00
# https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
#
openssl_3_3: hotfix for cmake builds Signed-off-by: Markus Theil <theil.markus@gmail.com> (cherry picked from commit fd1745b8607349440ff33b113a8b5eb2c5d96c15)
2024-09-23 17:57:58 +02:00
# https://github.com/openssl/openssl/pull/10565 indicated the
# intent was that this would be configured properly automatically,
pkgs/development/libraries: stdenv.lib -> lib
2021-01-22 00:00:13 +07:00
# but that doesn't appear to be the case.
++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# This is necessary in order to avoid openssl adding -march
# flags which ultimately conflict with those added by
# cc-wrapper. Openssl assumes that it can scan CFLAGS to
# detect any -march flags, using this perl code:
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
#
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
#
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# The following bogus CFLAGS environment variable triggers the
openssl_3_3: move cmake rm to correct phase Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-09-24 07:51:40 +02:00
# the code above, inhibiting `./Configure` from adding the
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
# conflicting flags.
treewide: Per RFC45, remove all unquoted URLs
2020-03-31 21:11:51 -04:00
"CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
];
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: set up meta.changelog
2023-10-24 16:20:31 +02:00
makeFlags = [
"MANDIR=$(man)/share/man"
# This avoids conflicts between man pages of openssl subcommands (for
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
# example 'ts' and 'err') man pages and their equivalent top-level
# command in other packages (respectively man-pages and moreutils).
treewide: fix typos
2025-06-02 15:54:57 +02:00
# This is done in ubuntu and archlinux, and possibly many other distros.
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
"MANSUFFIX=ssl"
];
Trying to make nixUnstable cross-build. It fails because it builds bin2c for the host system, instead of the build system. I will wait for a fix upstream. svn path=/nixpkgs/trunk/; revision=20445
2010-03-05 23:22:36 +00:00
openssl: enable parallel building There is no improvement for the build duration of openssl 1.0 but the one of openssl 1.1 is reduced significantly.
2018-04-20 14:55:01 +02:00
enableParallelBuilding = true;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: Add `static` flag. Its effect on `postInstall` is carefully written to not cause recompilation in the default case.
2018-07-21 04:41:01 +02:00
postInstall =
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
(
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
if static then
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
openssl: disable ct feature in static mode (#173288) For static binaries to be relocatable, they can't depend on data files. Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2022-05-17 10:42:46 +01:00
# OPENSSLDIR has a reference to self
openssl: fix static cross compilation
2022-09-20 16:25:47 +02:00
remove-references-to -t $out $out/lib/*.a
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
else
''
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
# If we're building dynamic libraries, then don't install static
# libraries.
if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
rm "$out/lib/"*.a
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
fi
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# 'etc' is a separate output on static builds only.
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
etc=$out
''
)
+ ''
[staging] openssl: fix bin installation for static builds (#119825) Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-20 14:49:39 -07:00
mkdir -p $bin
mv $out/bin $bin/bin
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
+
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
lib.optionalString (!stdenv.hostPlatform.isWindows)
openssl: Fix windows cross compile It was broken by 18f1be707120b0bb5e2ddfb5058bc8d3c16f18cb
2023-05-03 13:02:49 +12:00
# makeWrapper is broken for windows cross (https://github.com/NixOS/nixpkgs/issues/120726)
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
openssl: remove run-time dependency of perl due to c_rehash Replaces perl based c_rehash script with shell script wrapping `openssl rehash` with the same functionality. Fixes: #19965 Supersedes: #156776, #83446 Possibly related to: #157093, #82924
2023-03-03 09:00:16 +00:00
# c_rehash is a legacy perl script with the same functionality
# as `openssl rehash`
# this wrapper script is created to maintain backwards compatibility without
# depending on perl
makeWrapper $bin/bin/openssl $bin/bin/c_rehash \
--add-flags "rehash"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
+ ''
openssl: fix indentation
2016-04-16 19:26:31 +03:00
mkdir $dev
mv $out/include $dev/
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
# remove dependency on Perl at runtime
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
rm -r $etc/etc/ssl/misc
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
rmdir $etc/etc/ssl/{certs,private}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
''
openssl_3_3: move cmake rm to correct phase Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-09-24 07:51:40 +02:00
+ lib.optionalString (conf != null) ''
openssl_3_3: hotfix for cmake builds Signed-off-by: Markus Theil <theil.markus@gmail.com> (cherry picked from commit fd1745b8607349440ff33b113a8b5eb2c5d96c15)
2024-09-23 17:57:58 +02:00
cat ${conf} > $etc/etc/ssl/openssl.cnf
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
'';
postFixup =
treewide: Remove usage of remaining redundant platform compatability stuff Want to get this out of here for 18.09, so it can be deprecated thereafter.
2018-08-20 14:43:41 -04:00
lib.optionalString (!stdenv.hostPlatform.isWindows) ''
openssl: split runtime dependencies of static builds into a separate output (#182444)
2022-07-23 23:06:06 +02:00
# Check to make sure the main output and the static runtime dependencies
# don't depend on perl
if grep -r '${buildPackages.perl}' $out $etc; then
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
echo "Found an erroneous dependency on perl ^^^" >&2
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
exit 1
fi
''
openssl_3_3: move cmake rm to correct phase Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-09-24 07:51:40 +02:00
+ lib.optionalString (lib.versionAtLeast version "3.3.0") ''
# cleanup cmake helpers for now (for OpenSSL >= 3.3), only rely on pkg-config.
# pkg-config gets its paths fixed correctly
rm -rf $dev/lib/cmake
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
'';
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
meta = {
treewide: Per RFC45, remove all unquoted URLs
2020-03-31 21:11:51 -04:00
homepage = "https://www.openssl.org/";
openssl: set up meta.changelog
2023-10-24 16:20:31 +02:00
changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
description = "Cryptographic library that implements the SSL and TLS protocols";
openssl: remove with statements
2024-08-16 13:58:29 -07:00
license = lib.licenses.openssl;
treewide: add meta.mainProgram (#255932)
2023-09-18 12:57:04 -05:00
mainProgram = "openssl";
openssl: remove with statements
2024-08-16 13:58:29 -07:00
maintainers = with lib.maintainers; [ thillux ];
teams = [ lib.teams.stridtech ];
openssl: Add `meta.pkgConfigModules` and test
2023-02-12 15:14:14 -05:00
pkgConfigModules = [
"libcrypto"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
"libssl"
"openssl"
];
openssl: remove with statements
2024-08-16 13:58:29 -07:00
platforms = lib.platforms.all;
openssl_1_0_2: mark as insecure; fixes #77503 (kinda) No vulnerabilities are know so far (to me), but still I'd go this way. Especially for 20.03 it seems better to deprecate it before official release happens. Current casualties: $ ./maintainers/scripts/rebuild-amount.sh --print HEAD HEAD^ Estimating rebuild amount by counting changed Hydra jobs. 87 x86_64-darwin 161 x86_64-linux
2020-02-21 18:17:48 +01:00
} // extraMeta;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 57b193d8ddeaf4f5219d2bae1d23b081e4906e57 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:27:17 +01:00
});
in
{
openssl_3_1: remove and explicitely state versioning Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-11-29 22:06:37 +01:00
# intended version "policy":
# - 1.1 as long as some package exists, which does not build without it
openssl: update comments and add 1.1 deprecation notice Change from 23.05 to 23.11 and mention first deprecation try in 24.05. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-01-13 16:13:59 +01:00
# (tracking issue: https://github.com/NixOS/nixpkgs/issues/269713)
# try to remove in 24.05 for the first time, if possible then
openssl_3_1: remove and explicitely state versioning Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-11-29 22:06:37 +01:00
# - latest 3.x LTS
# - latest 3.x non-LTS as preview/for development
#
# - other versions in between only when reasonable need is stated for some package
# - backport every security critical fix release e.g. 3.0.y -> 3.0.y+1 but no new version, e.g. 3.1 -> 3.2
openssl: Unify 1.0.1 and 1.0.2 expressions
2016-02-03 13:54:22 +01:00
pkgs/top-level/release: cache openssl-1.1.1u instead of openssl-1.1.1t We were caching this insecure package as part of a decision during 23.05, we will now cache openssl-1.1.1u too as this is now the de-facto OpenSSL package on 23.05, which is EOL.
2023-06-18 17:51:06 +02:00
# If you do upgrade here, please update in pkgs/top-level/release.nix
# the permitted insecure version to ensure it gets cached for our users
openssl: update comments and add 1.1 deprecation notice Change from 23.05 to 23.11 and mention first deprecation try in 24.05. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-01-13 16:13:59 +01:00
# and backport this to stable release (at time of writing this 23.11).
openssl_1_1: drop a long unused patch
2022-11-01 17:32:27 +01:00
openssl_1_1 = common {
openssl_1_1: 1.1.1v -> 1.1.1w https://github.com/openssl/openssl/blob/OpenSSL_1_1_1w/NEWS
2023-09-11 17:27:39 +02:00
version = "1.1.1w";
openssl: use hash, add thillux as maintainer Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-07-25 17:31:27 +02:00
hash = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
openssl_1_1: use the same default CA path as 1.0.* Fixes https://github.com/NixOS/nixpkgs/issues/54437
2019-01-21 21:15:42 +01:00
patches = [
./1.1/nix-ssl-cert-file.patch
(
openssl3: init at 3.0.0 Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-07 17:00:29 +00:00
if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch
)
openssl_1_1: use the same default CA path as 1.0.* Fixes https://github.com/NixOS/nixpkgs/issues/54437
2019-01-21 21:15:42 +01:00
];
openssl_1_1: Add "doc" output to contain HTML documentation This prevents cluttering up openssl_1_1.out with many megabytes of documentation. Fixes #51659
2018-12-09 01:42:05 -08:00
withDocs = true;
openssl_1_1: mark end-of-life https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ Closes: #210452
2023-05-18 01:15:13 +02:00
extraMeta = {
knownVulnerabilities = [
openssl: update comments and add 1.1 deprecation notice Change from 23.05 to 23.11 and mention first deprecation try in 24.05. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2024-01-13 16:13:59 +01:00
"OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.11 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/"
openssl_1_1: mark end-of-life https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ Closes: #210452
2023-05-18 01:15:13 +02:00
];
};
openssl_1_1_0: init at 1.1.0
2016-08-26 07:38:19 +00:00
};
openssl3: init at 3.0.0 Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-07 17:00:29 +00:00
openssl_3: rename from openssl_3_0 With their new versioning scheme, OpenSSL have committed[1] to API and ABI compatibility for the whole 3.x.x release series, so we shouldn't be overly specific in our attribute name. [1]: https://www.openssl.org/blog/blog/2018/11/28/version/
2022-06-27 13:35:16 +00:00
openssl_3 = common {
openssl_3: 3.0.15 -> 3.0.16 Security Fixes in 3.0.16: * Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176) * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143) Signed-off-by: Markus Theil <theil.markus@gmail.com>
2025-02-11 16:02:03 +01:00
version = "3.0.16";
hash = "sha256-V+A8UP6rXTGxUq8rdk8QN5rs2O6S8WyYWYPOSpn374Y=";
openssl_3: 3.0.11 -> 3.0.12 https://github.com/openssl/openssl/blob/openssl-3.0.12/NEWS.md Fixes: CVE-2023-5363
2023-10-24 16:07:47 +02:00
openssl3: init at 3.0.0 Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
2021-09-07 17:00:29 +00:00
patches = [
./3.0/nix-ssl-cert-file.patch
openssl_3_1: init at 3.1.1 OpenSSL 3.1 is the most recent release to develop against, while OpenSSL 3.0 is a LTS release, most developers should probably choose now (see: https://github.com/openssl/openssl/issues/20722). Add OpenSSL 3.1.1 in order to allow development against this version with Nix. Currently OpenSSL 3.0 and 3.1 are independent release lines. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-07-22 21:49:30 +02:00
# openssl will only compile in KTLS if the current kernel supports it.
# This patch disables build-time detection.
./3.0/openssl-disable-kernel-detection.patch
(
if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch
)
];
withDocs = true;
openssl: remove with statements
2024-08-16 13:58:29 -07:00
extraMeta = {
license = lib.licenses.asl20;
openssl_3_1: init at 3.1.1 OpenSSL 3.1 is the most recent release to develop against, while OpenSSL 3.0 is a LTS release, most developers should probably choose now (see: https://github.com/openssl/openssl/issues/20722). Add OpenSSL 3.1.1 in order to allow development against this version with Nix. Currently OpenSSL 3.0 and 3.1 are independent release lines. Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-07-22 21:49:30 +02:00
};
};
openssl_3_2: init at 3.2.0 Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-11-23 16:01:41 +01:00
openssl_3_4: init at 3.4.1; openssl_3_3: remove Updates OpenSSL 3.x latest to 3.4.1 Security Fixes in 3.4.1: * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797]) * Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176)) Release notes: https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34 Some significant changes: * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics * SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before. * An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t Some new features: * Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions * New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps * Support for attribute certificates * Support for pkeyutl in combination with key encapsulation (e.q. PQC-KEMs): -encap/-decap Signed-off-by: Markus Theil <theil.markus@gmail.com>
2025-01-10 18:27:20 +01:00
openssl_3_4 = common {
version = "3.4.1";
openssl: fix hash This is the hash for the GitHub snapshot of the 3.4.1 tag, not the official tarball we're using. When the PR doing this update was updated after the tarballs came out, updating the hash was forgotten. I've checked the hashes of the other OpenSSL versions and they're fine. Fixes: c05c515eff3c ("openssl_3_4: init at 3.4.1; openssl_3_3: remove")
2025-02-11 17:43:04 +01:00
hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
openssl_3_3: init at 3.3.0
2024-04-30 13:04:55 -07:00
patches = [
./3.0/nix-ssl-cert-file.patch
# openssl will only compile in KTLS if the current kernel supports it.
# This patch disables build-time detection.
./3.0/openssl-disable-kernel-detection.patch
(
if stdenv.hostPlatform.isDarwin then
openssl_3_4: init at 3.4.1; openssl_3_3: remove Updates OpenSSL 3.x latest to 3.4.1 Security Fixes in 3.4.1: * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797]) * Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176)) Release notes: https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34 Some significant changes: * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics * SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before. * An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t Some new features: * Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions * New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps * Support for attribute certificates * Support for pkeyutl in combination with key encapsulation (e.q. PQC-KEMs): -encap/-decap Signed-off-by: Markus Theil <theil.markus@gmail.com>
2025-01-10 18:27:20 +01:00
./3.4/use-etc-ssl-certs-darwin.patch
openssl_3_2: remove and switch single user to the default openssl Signed-off-by: Markus Theil <theil.markus@gmail.com> Picked from PR https://github.com/NixOS/nixpkgs/pull/345998 except that vcunat used `openssl` instead of `openssl_3_3` I do think that we should be well covered with 3.0 and 3.3. https://github.com/openssl/openssl/blob/openssl-3.3.0/NEWS.md
2024-10-05 11:09:56 +02:00
else
openssl_3_4: init at 3.4.1; openssl_3_3: remove Updates OpenSSL 3.x latest to 3.4.1 Security Fixes in 3.4.1: * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797]) * Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176)) Release notes: https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34 Some significant changes: * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics * SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before. * An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t Some new features: * Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions * New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps * Support for attribute certificates * Support for pkeyutl in combination with key encapsulation (e.q. PQC-KEMs): -encap/-decap Signed-off-by: Markus Theil <theil.markus@gmail.com>
2025-01-10 18:27:20 +01:00
./3.4/use-etc-ssl-certs.patch
openssl_3_2: remove and switch single user to the default openssl Signed-off-by: Markus Theil <theil.markus@gmail.com> Picked from PR https://github.com/NixOS/nixpkgs/pull/345998 except that vcunat used `openssl` instead of `openssl_3_3` I do think that we should be well covered with 3.0 and 3.3. https://github.com/openssl/openssl/blob/openssl-3.3.0/NEWS.md
2024-10-05 11:09:56 +02:00
)
openssl_3_3: init at 3.3.0
2024-04-30 13:04:55 -07:00
];
withDocs = true;
openssl: remove with statements
2024-08-16 13:58:29 -07:00
extraMeta = {
license = lib.licenses.asl20;
openssl_3_3: init at 3.3.0
2024-04-30 13:04:55 -07:00
};
};
* OpenSSL updated to 1.0.0a. svn path=/nixpkgs/branches/x-updates/; revision=22639
2010-07-18 21:54:14 +00:00
}
Reference in a new issue Copy permalink