2 files changed, 195 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/libressl/default.nix b/nixpkgs/pkgs/development/libraries/libressl/default.nix
new file mode 100644
index 000000000000..a9dc9f349fff
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/libressl/default.nix
@@ -0,0 +1,103 @@
+{ stdenv
+, fetchurl
+, lib
+, cmake
+, cacert
+, fetchpatch
+, buildShared ? !stdenv.hostPlatform.isStatic
+}:
+
+let
+  ldLibPathEnvName = if stdenv.isDarwin
+    then "DYLD_LIBRARY_PATH"
+    else "LD_LIBRARY_PATH";
+
+  generic =
+    { version
+    , hash
+    , patches ? []
+    , knownVulnerabilities ? []
+    }: stdenv.mkDerivation rec
+  {
+    pname = "libressl";
+    inherit version;
+
+    src = fetchurl {
+      url = "mirror://openbsd/LibreSSL/${pname}-${version}.tar.gz";
+      inherit hash;
+    };
+
+    nativeBuildInputs = [ cmake ];
+
+    cmakeFlags = [
+      "-DENABLE_NC=ON"
+      # Ensure that the output libraries do not require an executable stack.
+      # Without this define, assembly files in libcrypto do not include a
+      # .note.GNU-stack section, and if that section is missing from any object,
+      # the linker will make the stack executable.
+      "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
+      # libressl will append this to the regular prefix for libdir
+      "-DCMAKE_INSTALL_LIBDIR=lib"
+    ] ++ lib.optional buildShared "-DBUILD_SHARED_LIBS=ON";
+
+    # The autoconf build is broken as of 2.9.1, resulting in the following error:
+    # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
+    # Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
+    # removing ./configure pre-config.
+    preConfigure = ''
+      rm configure
+      substituteInPlace CMakeLists.txt \
+        --replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \
+        --replace 'libdir      \''${exec_prefix}' 'libdir \''${prefix}'
+    '';
+
+    inherit patches;
+
+    # Since 2.9.x the default location can't be configured from the build using
+    # DEFAULT_CA_FILE anymore, instead we have to patch the default value.
+    postPatch = ''
+      patchShebangs tests/
+      ${lib.optionalString (lib.versionAtLeast version "2.9.2") ''
+        substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
+      ''}
+    '';
+
+    doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV);
+    preCheck = ''
+      export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
+      export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
+    '';
+    postCheck = ''
+      export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
+    '';
+
+    outputs = [ "bin" "dev" "out" "man" "nc" ];
+
+    postFixup = ''
+      moveToOutput "bin/nc" "$nc"
+      moveToOutput "bin/openssl" "$bin"
+      moveToOutput "bin/ocspcheck" "$bin"
+      moveToOutput "share/man/man1/nc.1.gz" "$nc"
+    '';
+
+    meta = with lib; {
+      description = "Free TLS/SSL implementation";
+      homepage    = "https://www.libressl.org";
+      license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ];
+      platforms   = platforms.all;
+      maintainers = with maintainers; [ thoughtpolice fpletz ];
+      inherit knownVulnerabilities;
+    };
+  };
+
+in {
+  libressl_3_6 = generic {
+    version = "3.6.3";
+    hash = "sha256-h7G7426e7I0K5fBMg9NrLFsOWBeEx+sIFwJe0p6t6jc=";
+  };
+
+  libressl_3_7 = generic {
+    version = "3.7.3";
+    hash = "sha256-eUjIVqkMglvXJotvhWdKjc0lS65C4iF4GyTj+NwzXbM=";
+  };
+}
diff --git a/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch b/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch
new file mode 100644
index 000000000000..db482bcb35da
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/libressl/fix-build-with-glibc.patch
@@ -0,0 +1,92 @@
+diff --git a/tests/explicit_bzero.c b/tests/explicit_bzero.c
+index 34c60baa8a..9c0e917829 100644
+--- a/tests/explicit_bzero.c
++++ b/tests/explicit_bzero.c
+@@ -1,4 +1,4 @@
+-/*	$OpenBSD: explicit_bzero.c,v 1.6 2014/07/11 01:10:35 matthew Exp $	*/
++/*	$OpenBSD: explicit_bzero.c,v 1.7 2021/03/27 11:17:58 bcook Exp $	*/
+ /*
+  * Copyright (c) 2014 Google Inc.
+  *
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <errno.h>
+ #include <signal.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+ 
+@@ -36,19 +37,33 @@ enum {
+ 	SECRETBYTES = SECRETCOUNT * sizeof(secret)
+ };
+ 
+-static char altstack[SIGSTKSZ + SECRETBYTES];
++/*
++ * As of glibc 2.34, when _GNU_SOURCE is defined, SIGSTKSZ is no longer
++ * constant on Linux. SIGSTKSZ is redefined to sysconf (_SC_SIGSTKSZ).
++ */
++static char *altstack;
++#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES)
+ 
+ static void
+ setup_stack(void)
+ {
++	altstack = calloc(1, ALTSTACK_SIZE);
++	ASSERT_NE(NULL, altstack);
++
+ 	const stack_t sigstk = {
+ 		.ss_sp = altstack,
+-		.ss_size = sizeof(altstack),
++		.ss_size = ALTSTACK_SIZE
+ 	};
+ 
+ 	ASSERT_EQ(0, sigaltstack(&sigstk, NULL));
+ }
+ 
++static void
++cleanup_stack(void)
++{
++	free(altstack);
++}
++
+ static void
+ assert_on_stack(void)
+ {
+@@ -129,7 +144,7 @@ test_without_bzero()
+ 	char buf[SECRETBYTES];
+ 	assert_on_stack();
+ 	populate_secret(buf, sizeof(buf));
+-	char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
++	char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+ 	ASSERT_NE(NULL, res);
+ 	return (res);
+ }
+@@ -140,7 +155,7 @@ test_with_bzero()
+ 	char buf[SECRETBYTES];
+ 	assert_on_stack();
+ 	populate_secret(buf, sizeof(buf));
+-	char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
++	char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+ 	ASSERT_NE(NULL, res);
+ 	explicit_bzero(buf, sizeof(buf));
+ 	return (res);
+@@ -183,15 +198,17 @@ main()
+ 	 * on the stack.  This sanity checks that call_on_stack() and
+ 	 * populate_secret() work as intended.
+ 	 */
+-	memset(altstack, 0, sizeof(altstack));
++	memset(altstack, 0, ALTSTACK_SIZE);
+ 	call_on_stack(do_test_without_bzero);
+ 
+ 	/*
+ 	 * Now test with a call to explicit_bzero() and check that we
+ 	 * *don't* find any instances of the secret data.
+ 	 */
+-	memset(altstack, 0, sizeof(altstack));
++	memset(altstack, 0, ALTSTACK_SIZE);
+ 	call_on_stack(do_test_with_bzero);
+ 
++	cleanup_stack();
++
+ 	return (0);
+ }