openssl: remove run-time dependency of perl due to c_rehash

Replaces perl based c_rehash script with shell script wrapping `openssl rehash` with the same functionality. Fixes: NixOS#19965 Supersedes: NixOS#156776, NixOS#83446 Possibly related to: NixOS#157093, NixOS#82924
awakesecurity · Jan 13, 2024 · af180b9 · af180b9
1 parent 1f31625
commit af180b9
Showing 1 changed file with 18 additions and 23 deletions.
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
@@ -1,13 +1,13 @@
-{ lib, stdenv, fetchurl, buildPackages, perl, coreutils
+{ lib, stdenv, fetchurl, buildPackages, perl, coreutils, writeShellScript
+, makeWrapper
 , withCryptodev ? false, cryptodev
+, withZlib ? false, zlib
 , enableSSL2 ? false
 , enableSSL3 ? false
 , enableKTLS ? stdenv.isLinux
 , static ? stdenv.hostPlatform.isStatic
-# Used to avoid cross compiling perl, for example, in darwin bootstrap tools.
-# This will cause c_rehash to refer to perl via the environment, but otherwise
-# will produce a perfectly functional openssl binary and library.
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform
+# path to openssl.cnf file. will be placed in $etc/etc/ssl/openssl.cnf to replace the default
+, conf ? null
 , removeReferencesTo
 , testers
 }:
@@ -69,12 +69,10 @@ let
       !(stdenv.hostPlatform.useLLVM or false) &&
       stdenv.cc.isGNU;
 
-    nativeBuildInputs = [ perl ]
+    nativeBuildInputs = [ makeWrapper perl ]
       ++ lib.optionals static [ removeReferencesTo ];
     buildInputs = lib.optional withCryptodev cryptodev
-      # perl is included to allow the interpreter path fixup hook to set the
-      # correct interpreter in c_rehash.
-      ++ lib.optional withPerl perl;
+      ++ lib.optional withZlib zlib;
 
     # TODO(@Ericson2314): Improve with mass rebuild
     configurePlatforms = [];
@@ -141,6 +139,7 @@ let
       # This introduces a reference to the CTLOG_FILE which is undesired when
       # trying to build binaries statically.
       ++ lib.optional static "no-ct"
+      ++ lib.optional withZlib "zlib"
       ;
 
     makeFlags = [
@@ -167,30 +166,26 @@ let
 
       # 'etc' is a separate output on static builds only.
       etc=$out
-    '') + lib.optionalString (!stdenv.hostPlatform.isWindows)
-      # Fix bin/c_rehash's perl interpreter line
-      #
-      # - openssl 1_0_2: embeds a reference to buildPackages.perl
-      # - openssl 1_1:   emits "#!/usr/bin/env perl"
-      #
-      # In the case of openssl_1_0_2, reset the invalid reference and let the
-      # interpreter hook take care of it.
-      #
-      # In both cases, if withPerl = false, the intepreter line is expected be
-      # "#!/usr/bin/env perl"
-    ''
-      substituteInPlace $out/bin/c_rehash --replace ${buildPackages.perl}/bin/perl "/usr/bin/env perl"
-    '' + ''
+    '') + ''
       mkdir -p $bin
       mv $out/bin $bin/bin
 
+      # c_rehash is a legacy perl script with the same functionality
+      # as `openssl rehash`
+      # this wrapper script is created to maintain backwards compatibility without
+      # depending on perl
+      makeWrapper $bin/bin/openssl $bin/bin/c_rehash \
+        --add-flags "rehash"
+
       mkdir $dev
       mv $out/include $dev/
 
       # remove dependency on Perl at runtime
       rm -r $etc/etc/ssl/misc
 
       rmdir $etc/etc/ssl/{certs,private}
+
+      ${lib.optionalString (conf != null) "cat ${conf} > $etc/etc/ssl/openssl.cnf"}
     '';
 
     postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) ''