overlay: add openssl 3.0.7 fix

2022-11-01 10:35:42 -06:00 · 2022-11-01 10:35:42 -06:00 · 4801ec6bd1
commit 4801ec6bd1
parent 732164713f
6 changed files with 76 additions and 6 deletions
--- a/flake.nix
+++ b/flake.nix
@ -142,8 +142,7 @@
        box = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "box";
        luna = buildSys "x86_64-linux" stable
          [ "${nixos-hardware}/common/cpu/intel" ] "luna";
-        h =
-          buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "h";
+        h = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "h";
        router =
          buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "router";

@ -195,7 +194,8 @@
            isUnstable = true;
          };
          gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit pkgs; };
-          govulncheck = pkgs.callPackage ./pkgs/govulncheck.nix { inherit pkgs; };
+          govulncheck =
+            pkgs.callPackage ./pkgs/govulncheck.nix { inherit pkgs; };
          zutty = pkgs.callPackage ./pkgs/zutty.nix {
            inherit pkgs;
            isUnstable = true;
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -13,8 +13,25 @@ let
      doCheck = false;
    });
  };
+  openssl_3 = self: super: {
+    openssl_3 = super.openssl_3.overrideAttrs (old: rec {
+      pname = "openssl";
+      version = "3.0.7";
+      sha256 = "sha256-gwSdBComDmlvYkBqxcCL9wb9hDg/lFzyG9YentlcOW4=";
+      src = super.fetchurl {
+        url = "https://www.openssl.org/source/${pname}-${version}.tar.gz";
+        inherit sha256;
+      };
+      patches = [
+        ./nix-ssl-cert-file.patch
+        ./openssl-disable-kernel-detection.patch
+        ./use-etc-ssl-certs.patch
+      ];
+    });
+  };
 in {
  nixpkgs.overlays = if isUnstable then [
+    openssl_3

    (self: super: {
      zig = super.zig.overrideAttrs (old: {
@ -40,9 +57,9 @@ in {

      });
    })
-  ] else
-  [
+  ] else [
    openssh
+    openssl_3

    (self: super: {
      matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
--- a/overlays/nix-ssl-cert-file.patch
+++ b/overlays/nix-ssl-cert-file.patch
@ -0,0 +1,15 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index 37d73ca84c..e328896234 100644
+--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
+@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
+            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
+            if (!file)
+                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+             if (file)
+                 ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM,
+                                                  libctx, propq) != 0);
--- a/overlays/openssl-disable-kernel-detection.patch
+++ b/overlays/openssl-disable-kernel-detection.patch
@ -0,0 +1,25 @@
+diff --git a/Configure b/Configure
+index a558e5ab1a..9a884f0b0f 100755
+--- a/Configure
+++ b/Configure
+@@ -1714,20 +1714,6 @@ unless ($disabled{devcryptoeng}) {
+ 
+ unless ($disabled{ktls}) {
+     $config{ktls}="";
+-    my $cc = $config{CROSS_COMPILE}.$config{CC};
+-    if ($target =~ m/^linux/) {
+-        system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
+-            disable('too-old-kernel', 'ktls');
+-        }
+-    } elsif ($target =~ m/^BSD/) {
+-        system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
+-            disable('too-old-freebsd', 'ktls');
+-        }
+-    } else {
+-        disable('not-linux-or-freebsd', 'ktls');
+-    }
+ }
+ 
+ push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
--- a/overlays/use-etc-ssl-certs.patch
+++ b/overlays/use-etc-ssl-certs.patch
@ -0,0 +1,13 @@
+diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
+index 329ef62..9a8df64 100644
+--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
+@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM);
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+ # else
--- a/pkgs/govulncheck.nix
+++ b/pkgs/govulncheck.nix
@ -15,7 +15,7 @@ buildGoModule rec {
  proxyVendor = true;

  doCheck = false;
-  
+
  subPackages = [ "cmd/govulncheck" ];

  meta = {