libressl: fix build w/glibc-2.34

Failing Hydra build: https://hydra.nixos.org/build/151984996
2021-09-08 19:23:41 +02:00 · 2021-09-08 19:23:41 +02:00 · 3aa6c49ab4
commit 3aa6c49ab4
parent 2357e828f5
2 changed files with 96 additions and 0 deletions
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@ -89,6 +89,10 @@ in {
  libressl_3_2 = generic {
    version = "3.2.7";
    sha256 = "112bjfrwwqlk0lak7fmfhcls18ydf62cp7gxghf4gklpfl1zyckw";
+    patches = [
+      # See https://github.com/libressl-portable/portable/issues/653 for context.
+      ./fix-build-with-glibc.patch
+    ];
  };
  libressl_3_4 = generic {
    version = "3.4.2";
--- a/pkgs/development/libraries/libressl/fix-build-with-glibc.patch
+++ b/pkgs/development/libraries/libressl/fix-build-with-glibc.patch
@ -0,0 +1,92 @@
+diff --git a/tests/explicit_bzero.c b/tests/explicit_bzero.c
+index 34c60baa8a..9c0e917829 100644
+--- a/tests/explicit_bzero.c
+++ b/tests/explicit_bzero.c
+@@ -1,4 +1,4 @@
+-/*	$OpenBSD: explicit_bzero.c,v 1.6 2014/07/11 01:10:35 matthew Exp $	*/
+/*	$OpenBSD: explicit_bzero.c,v 1.7 2021/03/27 11:17:58 bcook Exp $	*/
+ /*
+  * Copyright (c) 2014 Google Inc.
+  *
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <errno.h>
+ #include <signal.h>
+#include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+ 
+@@ -36,19 +37,33 @@ enum {
+ 	SECRETBYTES = SECRETCOUNT * sizeof(secret)
+ };
+ 
+-static char altstack[SIGSTKSZ + SECRETBYTES];
+/*
+ * As of glibc 2.34, when _GNU_SOURCE is defined, SIGSTKSZ is no longer
+ * constant on Linux. SIGSTKSZ is redefined to sysconf (_SC_SIGSTKSZ).
+ */
+static char *altstack;
+#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES)
+ 
+ static void
+ setup_stack(void)
+ {
+	altstack = calloc(1, ALTSTACK_SIZE);
+	ASSERT_NE(NULL, altstack);
+
+ 	const stack_t sigstk = {
+ 		.ss_sp = altstack,
+-		.ss_size = sizeof(altstack),
+		.ss_size = ALTSTACK_SIZE
+ 	};
+ 
+ 	ASSERT_EQ(0, sigaltstack(&sigstk, NULL));
+ }
+ 
+static void
+cleanup_stack(void)
+{
+	free(altstack);
+}
+
+ static void
+ assert_on_stack(void)
+ {
+@@ -129,7 +144,7 @@ test_without_bzero()
+ 	char buf[SECRETBYTES];
+ 	assert_on_stack();
+ 	populate_secret(buf, sizeof(buf));
+-	char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
+	char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+ 	ASSERT_NE(NULL, res);
+ 	return (res);
+ }
+@@ -140,7 +155,7 @@ test_with_bzero()
+ 	char buf[SECRETBYTES];
+ 	assert_on_stack();
+ 	populate_secret(buf, sizeof(buf));
+-	char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
+	char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+ 	ASSERT_NE(NULL, res);
+ 	explicit_bzero(buf, sizeof(buf));
+ 	return (res);
+@@ -183,15 +198,17 @@ main()
+ 	 * on the stack.  This sanity checks that call_on_stack() and
+ 	 * populate_secret() work as intended.
+ 	 */
+-	memset(altstack, 0, sizeof(altstack));
+	memset(altstack, 0, ALTSTACK_SIZE);
+ 	call_on_stack(do_test_without_bzero);
+ 
+ 	/*
+ 	 * Now test with a call to explicit_bzero() and check that we
+ 	 * *don't* find any instances of the secret data.
+ 	 */
+-	memset(altstack, 0, sizeof(altstack));
+	memset(altstack, 0, ALTSTACK_SIZE);
+ 	call_on_stack(do_test_with_bzero);
+ 
+	cleanup_stack();
+
+ 	return (0);
+ }