nixpkgs/pkgs/development/python-modules/nassl/default.nix
Robert Scott 86e62e7386 python3Packages.nassl: improve overridden openssl versions
firstly override the correct respective base openssl version - this
gives us an approximately appropriate set of patches and
knownVulnerabilities to start with.

filter patches that don't apply to the overridden source, fixing
the build on darwin.
2021-11-06 21:52:34 +00:00

149 lines
4.3 KiB
Nix

{ lib
, fetchFromGitHub
, fetchurl
, buildPythonPackage
, pkgsStatic
, openssl_1_1
, openssl_1_0_2
, invoke
, tls-parser
, cacert
, pytestCheckHook
, pythonOlder
}:
let
zlibStatic = (pkgsStatic.zlib.override {
splitStaticOutput = false;
}).overrideAttrs (oldAttrs: {
NIX_CFLAGS_COMPILE = "${oldAttrs.NIX_CFLAGS_COMPILE} -fPIC";
});
nasslOpensslArgs = {
static = true;
enableSSL2 = true;
};
nasslOpensslFlagsCommon = [
"zlib"
"no-zlib-dynamic"
"no-shared"
"--with-zlib-lib=${zlibStatic.out}/lib"
"--with-zlib-include=${zlibStatic.out.dev}/include"
"enable-rc5"
"enable-md2"
"enable-gost"
"enable-cast"
"enable-idea"
"enable-ripemd"
"enable-mdc2"
"-fPIC"
];
opensslStatic = (openssl_1_1.override nasslOpensslArgs).overrideAttrs (
oldAttrs: rec {
name = "openssl-${version}";
version = "1.1.1h";
src = fetchurl {
url = "https://www.openssl.org/source/${name}.tar.gz";
sha256 = "1ncmcnh5bmxkwrvm0m1q4kdcjjfpwvlyjspjhibkxc6p9dvsi72w";
};
configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon ++ [
"enable-weak-ssl-ciphers"
"enable-tls1_3"
"no-async"
];
patches = builtins.filter (
p: (builtins.baseNameOf (toString p)) != "macos-yosemite-compat.patch"
) oldAttrs.patches;
buildInputs = oldAttrs.buildInputs ++ [ zlibStatic cacert ];
meta = oldAttrs.meta // {
knownVulnerabilities = [
"CVE-2020-1971"
"CVE-2021-23840"
"CVE-2021-23841"
"CVE-2021-3449"
"CVE-2021-3450"
"CVE-2021-3711"
"CVE-2021-3712"
];
};
}
);
opensslLegacyStatic = (openssl_1_0_2.override nasslOpensslArgs).overrideAttrs (
oldAttrs: rec {
name = "openssl-${version}";
version = "1.0.2e";
src = fetchurl {
url = "https://www.openssl.org/source/${name}.tar.gz";
sha256 = "1zqb1rff1wikc62a7vj5qxd1k191m8qif5d05mwdxz2wnzywlg72";
};
configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon;
patches = builtins.filter (
p: (builtins.baseNameOf (toString p)) == "darwin64-arm64.patch"
) oldAttrs.patches;
buildInputs = oldAttrs.buildInputs ++ [ zlibStatic ];
# openssl_1_0_2 needs `withDocs = false`
outputs = lib.remove "doc" oldAttrs.outputs;
}
);
in
buildPythonPackage rec {
pname = "nassl";
version = "4.0.1";
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "nabla-c0d3";
repo = pname;
rev = version;
hash = "sha256-QzO7ABh2weBO6NVFIj7kZpS8ashbDGompuvdKteJeUc=";
};
postPatch = let
legacyOpenSSLVersion = lib.replaceStrings ["."] ["_"] opensslLegacyStatic.version;
modernOpenSSLVersion = lib.replaceStrings ["."] ["_"] opensslStatic.version;
zlibVersion = zlibStatic.version;
in ''
mkdir -p deps/openssl-OpenSSL_${legacyOpenSSLVersion}/
cp ${opensslLegacyStatic.out}/lib/libssl.a \
${opensslLegacyStatic.out}/lib/libcrypto.a \
deps/openssl-OpenSSL_${legacyOpenSSLVersion}/
ln -s ${opensslLegacyStatic.out.dev}/include deps/openssl-OpenSSL_${legacyOpenSSLVersion}/include
ln -s ${opensslLegacyStatic.bin}/bin deps/openssl-OpenSSL_${legacyOpenSSLVersion}/apps
mkdir -p deps/openssl-OpenSSL_${modernOpenSSLVersion}/
cp ${opensslStatic.out}/lib/libssl.a \
${opensslStatic.out}/lib/libcrypto.a \
deps/openssl-OpenSSL_${modernOpenSSLVersion}/
ln -s ${opensslStatic.out.dev}/include deps/openssl-OpenSSL_${modernOpenSSLVersion}/include
ln -s ${opensslStatic.bin}/bin deps/openssl-OpenSSL_${modernOpenSSLVersion}/apps
mkdir -p deps/zlib-${zlibVersion}/
cp ${zlibStatic.out}/lib/libz.a deps/zlib-${zlibVersion}/
'';
propagatedBuildInputs = [ tls-parser ];
nativeBuildInputs = [ invoke ];
buildPhase = ''
invoke build.nassl
invoke package.wheel
'';
doCheck = true;
pythonImportsCheck = [ "nassl" ];
checkInputs = [ pytestCheckHook ];
disabledTests = [
"Online"
];
meta = with lib; {
homepage = "https://github.com/nabla-c0d3/nassl";
description = "Low-level OpenSSL wrapper for Python 3.7+";
platforms = with platforms; linux ++ darwin;
license = licenses.agpl3Only;
maintainers = with maintainers; [ veehaitch ];
};
}