diff --git a/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..e7090f49db6a --- /dev/null +++ b/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 37d73ca84c..e328896234 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM, + libctx, propq) != 0); diff --git a/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch b/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch new file mode 100644 index 000000000000..baf162e88d09 --- /dev/null +++ b/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch @@ -0,0 +1,22 @@ +diff --git a/Configure b/Configure +index f0ad787bc4..a48d2008c6 100755 +--- a/Configure ++++ b/Configure +@@ -1688,17 +1688,6 @@ unless ($disabled{devcryptoeng}) { + unless ($disabled{ktls}) { + $config{ktls}=""; + if ($target =~ m/^linux/) { +- my $usr = "/usr/$config{cross_compile_prefix}"; +- chop($usr); +- if ($config{cross_compile_prefix} eq "") { +- $usr = "/usr"; +- } +- my $minver = (4 << 16) + (13 << 8) + 0; +- my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`); +- +- if ($verstr[2] < $minver) { +- disable('too-old-kernel', 'ktls'); +- } + } elsif ($target =~ m/^BSD/) { + my $cc = $config{CROSS_COMPILE}.$config{CC}; + system("printf '#include \n#include ' | $cc -E - >/dev/null 2>&1"); diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index ca44788a289e..ca2e240dd869 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -198,11 +198,33 @@ in { ./1.1/nix-ssl-cert-file.patch (if stdenv.hostPlatform.isDarwin - then ./1.1/use-etc-ssl-certs-darwin.patch - else ./1.1/use-etc-ssl-certs.patch) + then ./use-etc-ssl-certs-darwin.patch + else ./use-etc-ssl-certs.patch) ] ++ lib.optionals (stdenv.isDarwin) [ ./1.1/macos-yosemite-compat.patch ]; withDocs = true; }; + + openssl_3_0 = common { + version = "3.0.0"; + sha256 = "sha256-We7fy0bCUhTJvTftYHgpe03wHQEiZ/6enu4x9hvHBTY="; + patches = [ + ./3.0/nix-ssl-cert-file.patch + + # openssl will only compile in KTLS if the current kernel supports it. + # This patch disables build-time detection. + ./3.0/openssl-disable-kernel-detection.patch + + (if stdenv.hostPlatform.isDarwin + then ./use-etc-ssl-certs-darwin.patch + else ./use-etc-ssl-certs.patch) + ]; + + withDocs = true; + + extraMeta = with lib; { + license = licenses.asl20; + }; + }; } diff --git a/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs-darwin.patch b/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch similarity index 100% rename from pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs-darwin.patch rename to pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch diff --git a/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs.patch b/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch similarity index 100% rename from pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs.patch rename to pkgs/development/libraries/openssl/use-etc-ssl-certs.patch diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 171e7f110b47..6743f69c067f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -18845,7 +18845,8 @@ with pkgs; inherit (callPackages ../development/libraries/openssl { }) openssl_1_0_2 - openssl_1_1; + openssl_1_1 + openssl_3_0; openssl-chacha = callPackage ../development/libraries/openssl/chacha.nix { };