1 files changed, 28 insertions, 1 deletions

diff --git a/nixpkgs/pkgs/development/libraries/libressl/default.nix b/nixpkgs/pkgs/development/libraries/libressl/default.nix
index fb362ebbad2f..d70672f63ac3 100644
--- a/nixpkgs/pkgs/development/libraries/libressl/default.nix
+++ b/nixpkgs/pkgs/development/libraries/libressl/default.nix
@@ -1,8 +1,16 @@
-{ stdenv, fetchurl, lib, cmake, cacert, fetchpatch
+{ stdenv
+, fetchurl
+, lib
+, cmake
+, cacert
+, fetchpatch
 , buildShared ? !stdenv.hostPlatform.isStatic
 }:
 
 let
+  ldLibPathEnvName = if stdenv.isDarwin
+    then "DYLD_LIBRARY_PATH"
+    else "LD_LIBRARY_PATH";
 
   generic = { version, sha256, patches ? [] }: stdenv.mkDerivation rec {
     pname = "libressl";
@@ -42,6 +50,15 @@ let
       substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
     '';
 
+    doCheck = true;
+    preCheck = ''
+      export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
+      export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
+    '';
+    postCheck = ''
+      export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
+    '';
+
     outputs = [ "bin" "dev" "out" "man" "nc" ];
 
     postFixup = ''
@@ -66,5 +83,15 @@ in {
   libressl_3_2 = generic {
     version = "3.2.5";
     sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
+  };
+  libressl_3_4 = generic {
+    version = "3.4.0";
+    sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
   };
 }