Merge commit '18c84ea816348e2a098390101b92d1e39a9dbd45'

Conflicts:
	nixpkgs/nixos/modules/misc/documentation.nix
	nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
	nixpkgs/pkgs/applications/window-managers/sway/default.nix
	nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix
	nixpkgs/pkgs/development/go-modules/generic/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/patchsets.nix
	nixpkgs/pkgs/development/libraries/boehm-gc/7.6.6.nix
	nixpkgs/pkgs/development/python-modules/django-mailman3/default.nix
	nixpkgs/pkgs/servers/mail/mailman/web.nix
	nixpkgs/pkgs/top-level/aliases.nix
	nixpkgs/pkgs/top-level/all-packages.nix
	nixpkgs/pkgs/top-level/impure.nix

5 files changed, 62 insertions, 2 deletions

diff --git a/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch
new file mode 100644
index 000000000000..e7090f49db6a
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch
@@ -0,0 +1,15 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index 37d73ca84c..e328896234 100644
+--- a/crypto/x509/by_file.c
++++ b/crypto/x509/by_file.c
+@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
++            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
++            if (!file)
++                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+             if (file)
+                 ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM,
+                                                  libctx, propq) != 0);
diff --git a/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch b/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch
new file mode 100644
index 000000000000..baf162e88d09
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch
@@ -0,0 +1,22 @@
+diff --git a/Configure b/Configure
+index f0ad787bc4..a48d2008c6 100755
+--- a/Configure
++++ b/Configure
+@@ -1688,17 +1688,6 @@ unless ($disabled{devcryptoeng}) {
+ unless ($disabled{ktls}) {
+     $config{ktls}="";
+     if ($target =~ m/^linux/) {
+-        my $usr = "/usr/$config{cross_compile_prefix}";
+-        chop($usr);
+-        if ($config{cross_compile_prefix} eq "") {
+-            $usr = "/usr";
+-        }
+-        my $minver = (4 << 16) + (13 << 8) + 0;
+-        my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`);
+-
+-        if ($verstr[2] < $minver) {
+-            disable('too-old-kernel', 'ktls');
+-        }
+     } elsif ($target =~ m/^BSD/) {
+         my $cc = $config{CROSS_COMPILE}.$config{CC};
+         system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
diff --git a/nixpkgs/pkgs/development/libraries/openssl/default.nix b/nixpkgs/pkgs/development/libraries/openssl/default.nix
index ca44788a289e..30721129073b 100644
--- a/nixpkgs/pkgs/development/libraries/openssl/default.nix
+++ b/nixpkgs/pkgs/development/libraries/openssl/default.nix
@@ -108,6 +108,7 @@ let
       "-DUSE_CRYPTODEV_DIGESTS"
     ] ++ lib.optional enableSSL2 "enable-ssl2"
       ++ lib.optional enableSSL3 "enable-ssl3"
+      ++ lib.optional (versionAtLeast version "3.0.0") "enable-ktls"
       ++ lib.optional (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
       # OpenSSL needs a specific `no-shared` configure flag.
       # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
@@ -198,11 +199,33 @@ in {
       ./1.1/nix-ssl-cert-file.patch
 
       (if stdenv.hostPlatform.isDarwin
-       then ./1.1/use-etc-ssl-certs-darwin.patch
-       else ./1.1/use-etc-ssl-certs.patch)
+       then ./use-etc-ssl-certs-darwin.patch
+       else ./use-etc-ssl-certs.patch)
     ] ++ lib.optionals (stdenv.isDarwin) [
       ./1.1/macos-yosemite-compat.patch
     ];
     withDocs = true;
   };
+
+  openssl_3_0 = common {
+    version = "3.0.1";
+    sha256 = "sha256-wxGthTNTvOeW7a0BqGLFCopYf2Ln4hAO9GWrU+ybBtE=";
+    patches = [
+      ./3.0/nix-ssl-cert-file.patch
+
+      # openssl will only compile in KTLS if the current kernel supports it.
+      # This patch disables build-time detection.
+      ./3.0/openssl-disable-kernel-detection.patch
+
+      (if stdenv.hostPlatform.isDarwin
+       then ./use-etc-ssl-certs-darwin.patch
+       else ./use-etc-ssl-certs.patch)
+    ];
+
+    withDocs = true;
+
+    extraMeta = with lib; {
+      license = licenses.asl20;
+    };
+  };
 }
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs-darwin.patch b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch
index 2c98ccfa7ed0..2c98ccfa7ed0 100644
--- a/nixpkgs/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs-darwin.patch
+++ b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch
diff --git a/nixpkgs/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs.patch b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch
index 67d199681f96..67d199681f96 100644
--- a/nixpkgs/pkgs/development/libraries/openssl/1.1/use-etc-ssl-certs.patch
+++ b/nixpkgs/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch