Merge pull request #269450 from thillux/openssl-3.2

openssl_3_2: init at 3.2.0
2023-12-29 03:51:12 +01:00 · 2023-12-29 03:51:12 +01:00 · e38737469b
commit e38737469b
parent ecb211799d 9de58c34dc
4 changed files with 39 additions and 6 deletions
--- a/pkgs/development/libraries/openssl/3.2/use-etc-ssl-certs-darwin.patch
+++ b/pkgs/development/libraries/openssl/3.2/use-etc-ssl-certs-darwin.patch
@ -0,0 +1,13 @@
+diff --git a/include/internal/common.h b/include/internal/common.h
+index 15666f1..d91e25b 100644
+--- a/include/internal/common.h
+++ b/include/internal/common.h
+@@ -83,7 +83,7 @@ __owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr,
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_CERT_FILE          "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+ # else
--- a/pkgs/development/libraries/openssl/3.2/use-etc-ssl-certs.patch
+++ b/pkgs/development/libraries/openssl/3.2/use-etc-ssl-certs.patch
@ -0,0 +1,13 @@
+diff --git a/include/internal/common.h b/include/internal/common.h
+index 15666f1..d91e25b 100644
+--- a/include/internal/common.h
+++ b/include/internal/common.h
+@@ -83,7 +83,7 @@ __owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr,
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+ # else
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@ -234,6 +234,13 @@ let
  });

 in {
+  # intended version "policy":
+  # - 1.1 as long as some package exists, which does not build without it
+  # - latest 3.x LTS
+  # - latest 3.x non-LTS as preview/for development
+  #
+  # - other versions in between only when reasonable need is stated for some package
+  # - backport every security critical fix release e.g. 3.0.y -> 3.0.y+1 but no new version, e.g. 3.1 -> 3.2

  # If you do upgrade here, please update in pkgs/top-level/release.nix
  # the permitted insecure version to ensure it gets cached for our users
@ -279,9 +286,9 @@ in {
    };
  };

-  openssl_3_1 = common {
-    version = "3.1.4";
-    hash = "sha256-hAr1Nmq5tSK95SWCa+PvD7Cvgcap69hMqmAP6hcx7uM=";
+  openssl_3_2 = common {
+    version = "3.2.0";
+    hash = "sha256-FMgm8Hx+QzcG+1xp+p4l2rlWhIRLTJYqLPG/GD60aQ4=";

    patches = [
      ./3.0/nix-ssl-cert-file.patch
@ -291,8 +298,8 @@ in {
      ./3.0/openssl-disable-kernel-detection.patch

      (if stdenv.hostPlatform.isDarwin
-       then ./use-etc-ssl-certs-darwin.patch
-       else ./use-etc-ssl-certs.patch)
+       then ./3.2/use-etc-ssl-certs-darwin.patch
+       else ./3.2/use-etc-ssl-certs.patch)
    ];

    withDocs = true;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -24445,7 +24445,7 @@ with pkgs;
  inherit (callPackages ../development/libraries/openssl { })
    openssl_1_1
    openssl_3
-    openssl_3_1;
+    openssl_3_2;

  opensubdiv = callPackage ../development/libraries/opensubdiv { };