Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'

6 files changed, 53 insertions, 164 deletions

diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch
deleted file mode 100644
index 5ecfb4175569..000000000000
--- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/darwin64-arm64.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Configure b/Configure
-index 494e0b3..0b448aa 100755
---- a/Configure
-+++ b/Configure
-@@ -652,6 +652,8 @@ my %table=(
- "darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-+"darwin64-arm64-cc","cc:-arch arm64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-+"debug-darwin64-arm64-cc","cc:-arch arm64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch arm64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- # iPhoneOS/iOS
- "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
deleted file mode 100644
index 5765409fdd57..000000000000
--- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
-index e6d0e6e1a6..b89456fd87 100644
---- a/crypto/x509/by_file.c
-+++ b/crypto/x509/by_file.c
-@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
-     switch (cmd) {
-     case X509_L_FILE_LOAD:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            file = ossl_safe_getenv(X509_get_default_cert_file_env());
-+            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
-+
-+            if (!file)
-+                file = ossl_safe_getenv(X509_get_default_cert_file_env());
- 
-             if (file)
-                 ok = (X509_load_cert_crl_file(ctx, file,
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
deleted file mode 100644
index 3d9ee7e6a822..000000000000
--- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
---- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100
-+++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100
-@@ -81,8 +81,8 @@
- 
- # ifndef OPENSSL_SYS_VMS
- #  define X509_CERT_AREA          OPENSSLDIR
- #  define X509_CERT_DIR           OPENSSLDIR "/certs"
--#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
-+#  define X509_CERT_FILE          "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
- #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
- # else
- #  define X509_CERT_AREA          "SSLROOT:[000000]"
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch b/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
deleted file mode 100644
index 813c6bdf44ab..000000000000
--- a/nixpkgs/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
---- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100
-+++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100
-@@ -81,8 +81,8 @@
- 
- # ifndef OPENSSL_SYS_VMS
- #  define X509_CERT_AREA          OPENSSLDIR
- #  define X509_CERT_DIR           OPENSSLDIR "/certs"
--#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
-+#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
- #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
- # else
- #  define X509_CERT_AREA          "SSLROOT:[000000]"
diff --git a/nixpkgs/pkgs/development/libraries/openssl/chacha.nix b/nixpkgs/pkgs/development/libraries/openssl/chacha.nix
deleted file mode 100644
index bae3e53f441f..000000000000
--- a/nixpkgs/pkgs/development/libraries/openssl/chacha.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, perl, zlib
-, withCryptodev ? false, cryptodev
-}:
-
-with lib;
-stdenv.mkDerivation {
-  pname = "openssl-chacha";
-  version = "2016-08-22";
-
-  src = fetchFromGitHub {
-    owner = "PeterMosmans";
-    repo = "openssl";
-    rev = "293717318e903b95f4d7e83a98a087282f37efc3";
-    sha256 = "134j3anjnj2q99xsd8d47bwvjp73qkdsimdd9riyjxa3hd8ysr00";
-  };
-
-  outputs = [ "bin" "dev" "out" "man" ];
-  setOutputFlags = false;
-
-  nativeBuildInputs = [ perl zlib ];
-  buildInputs = lib.optional withCryptodev cryptodev;
-
-  configureScript = "./config";
-
-  configureFlags = [
-    "zlib"
-    "shared"
-    "experimental-jpake"
-    "enable-md2"
-    "enable-rc5"
-    "enable-rfc3779"
-    "enable-gost"
-    "--libdir=lib"
-    "--openssldir=etc/ssl"
-  ] ++ lib.optionals withCryptodev [
-    "-DHAVE_CRYPTODEV"
-    "-DUSE_CRYPTODEV_DIGESTS"
-  ];
-
-  makeFlags = [
-    "MANDIR=$(man)/share/man"
-  ];
-
-  # Parallel building is broken in OpenSSL.
-  enableParallelBuilding = false;
-
-  postInstall = ''
-    # If we're building dynamic libraries, then don't install static
-    # libraries.
-    if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
-        rm "$out/lib/"*.a
-    fi
-
-    mkdir -p $bin
-    mv $out/bin $bin/
-
-    mkdir $dev
-    mv $out/include $dev/
-
-    # remove dependency on Perl at runtime
-    rm -r $out/etc/ssl/misc
-
-    rmdir $out/etc/ssl/{certs,private}
-  '';
-
-  postFixup = ''
-    # Check to make sure we don't depend on perl
-    if grep -r '${perl}' $out; then
-      echo "Found an erroneous dependency on perl ^^^" >&2
-      exit 1
-    fi
-  '';
-
-  meta = {
-    homepage = "https://www.openssl.org/";
-    description = "A cryptographic library that implements the SSL and TLS protocols";
-    platforms = [ "x86_64-linux" ];
-    maintainers = [ lib.maintainers.cstrahan ];
-    license = licenses.openssl;
-    priority = 10; # resolves collision with ‘man-pages’
-  };
-}
diff --git a/nixpkgs/pkgs/development/libraries/openssl/default.nix b/nixpkgs/pkgs/development/libraries/openssl/default.nix
index 33ddbf7018c5..0b4050c76cce 100644
--- a/nixpkgs/pkgs/development/libraries/openssl/default.nix
+++ b/nixpkgs/pkgs/development/libraries/openssl/default.nix
@@ -7,6 +7,7 @@
 # This will cause c_rehash to refer to perl via the environment, but otherwise
 # will produce a perfectly functional openssl binary and library.
 , withPerl ? stdenv.hostPlatform == stdenv.buildPlatform
+, removeReferencesTo
 }:
 
 # Note: this package is used for bootstrapping fetchurl, and thus
@@ -43,9 +44,23 @@ let
       substituteInPlace crypto/async/arch/async_posix.h \
         --replace '!defined(__ANDROID__) && !defined(__OpenBSD__)' \
                   '!defined(__ANDROID__) && !defined(__OpenBSD__) && 0'
+    ''
+    # Move ENGINESDIR into OPENSSLDIR for static builds, in order to move
+    # it to the separate etc output.
+    + lib.optionalString static ''
+      substituteInPlace Configurations/unix-Makefile.tmpl \
+        --replace 'ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}' \
+                  'ENGINESDIR=$(OPENSSLDIR)/engines-{- $sover_dirname -}'
     '';
 
-    outputs = [ "bin" "dev" "out" "man" ] ++ lib.optional withDocs "doc";
+    outputs = [ "bin" "dev" "out" "man" ]
+      ++ lib.optional withDocs "doc"
+      # Separate output for the runtime dependencies of the static build.
+      # Specifically, move OPENSSLDIR into this output, as its path will be
+      # compiled into 'libcrypto.a'. This makes it a runtime dependency of
+      # any package that statically links openssl, so we want to keep that
+      # output minimal.
+      ++ lib.optional static "etc";
     setOutputFlags = false;
     separateDebugInfo =
       !stdenv.hostPlatform.isDarwin &&
@@ -69,6 +84,12 @@ let
         x86_64-linux = "./Configure linux-x86_64";
         x86_64-solaris = "./Configure solaris64-x86_64-gcc";
         riscv64-linux = "./Configure linux64-riscv64";
+        mips64el-linux =
+          if stdenv.hostPlatform.isMips64n64
+          then "./Configure linux64-mips64"
+          else if stdenv.hostPlatform.isMips64n32
+          then "./Configure linux-mips64"
+          else throw "unsupported ABI for ${stdenv.hostPlatform.system}";
       }.${stdenv.hostPlatform.system} or (
         if stdenv.hostPlatform == stdenv.buildPlatform
           then "./config"
@@ -95,7 +116,14 @@ let
     configureFlags = [
       "shared" # "shared" builds both shared and static libraries
       "--libdir=lib"
-      "--openssldir=etc/ssl"
+      (if !static then
+         "--openssldir=etc/ssl"
+       else
+         # Move OPENSSLDIR to the 'etc' output for static builds. Prepend '/.'
+         # to the path to make it appear absolute before variable expansion,
+         # else the 'prefix' would be prepended to it.
+         "--openssldir=/.$(etc)/etc/ssl"
+      )
     ] ++ lib.optionals withCryptodev [
       "-DHAVE_CRYPTODEV"
       "-DUSE_CRYPTODEV_DIGESTS"
@@ -106,7 +134,11 @@ let
       # OpenSSL needs a specific `no-shared` configure flag.
       # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
       # for a comprehensive list of configuration options.
-      ++ lib.optional (lib.versionAtLeast version "1.1.0" && static) "no-shared";
+      ++ lib.optional (lib.versionAtLeast version "1.1.0" && static) "no-shared"
+      # This introduces a reference to the CTLOG_FILE which is undesired when
+      # trying to build binaries statically.
+      ++ lib.optional static "no-ct"
+      ;
 
     makeFlags = [
       "MANDIR=$(man)/share/man"
@@ -120,13 +152,19 @@ let
     enableParallelBuilding = true;
 
     postInstall =
-    lib.optionalString (!static) ''
+    (if static then ''
+      # OPENSSLDIR has a reference to self
+      ${removeReferencesTo}/bin/remove-references-to -t $out $out/lib/*.a
+    '' else ''
       # If we're building dynamic libraries, then don't install static
       # libraries.
       if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
           rm "$out/lib/"*.a
       fi
-    '' + lib.optionalString (!stdenv.hostPlatform.isWindows)
+
+      # 'etc' is a separate output on static builds only.
+      etc=$out
+    '') + lib.optionalString (!stdenv.hostPlatform.isWindows)
       # Fix bin/c_rehash's perl interpreter line
       #
       # - openssl 1_0_2: embeds a reference to buildPackages.perl
@@ -147,14 +185,15 @@ let
       mv $out/include $dev/
 
       # remove dependency on Perl at runtime
-      rm -r $out/etc/ssl/misc
+      rm -r $etc/etc/ssl/misc
 
-      rmdir $out/etc/ssl/{certs,private}
+      rmdir $etc/etc/ssl/{certs,private}
     '';
 
     postFixup = lib.optionalString (!stdenv.hostPlatform.isWindows) ''
-      # Check to make sure the main output doesn't depend on perl
-      if grep -r '${buildPackages.perl}' $out; then
+      # Check to make sure the main output and the static runtime dependencies
+      # don't depend on perl
+      if grep -r '${buildPackages.perl}' $out $etc; then
         echo "Found an erroneous dependency on perl ^^^" >&2
         exit 1
       fi
@@ -170,24 +209,10 @@ let
 
 in {
 
-  openssl_1_0_2 = common {
-    version = "1.0.2u";
-    sha256 = "ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16";
-    patches = [
-      ./1.0.2/nix-ssl-cert-file.patch
-
-      (if stdenv.hostPlatform.isDarwin
-       then ./1.0.2/use-etc-ssl-certs-darwin.patch
-       else ./1.0.2/use-etc-ssl-certs.patch)
-    ] ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-darwin") [
-      ./1.0.2/darwin64-arm64.patch
-    ];
-    extraMeta.knownVulnerabilities = [ "Support for OpenSSL 1.0.2 ended with 2019." ];
-  };
 
   openssl_1_1 = common rec {
-    version = "1.1.1n";
-    sha256 = "sha256-QNzrUaT2pSdb3g5r8g70uRv8Mu1XwFUuLo4VRjNysXo=";
+    version = "1.1.1q";
+    sha256 = "sha256-15Oc5hQCnN/wtsIPDi5XAxWKSJpyslB7i9Ub+Mj9EMo=";
     patches = [
       ./1.1/nix-ssl-cert-file.patch
 
@@ -200,9 +225,9 @@ in {
     withDocs = true;
   };
 
-  openssl_3_0 = common {
-    version = "3.0.2";
-    sha256 = "sha256-mOkczq1NR1auPJzeXgkZGo5YbZ9NUIOOfsCdZBHf22M=";
+  openssl_3 = common {
+    version = "3.0.5";
+    sha256 = "sha256-qn2Nm+9xrWUlxVuhHl9Dl4ic5Jwsk0nc6m0+TwsCSno=";
     patches = [
       ./3.0/nix-ssl-cert-file.patch