openssl: Add providers, openssl_quantum

Addded the ability to allow for providers with openssl. Added openssl_quantum using oqs-provider.
NixOS · Jan 11, 2025 · 6c87146 · 6c87146
1 parent d53b472
commit 6c87146
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 3 deletions.
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
@@ -4,6 +4,7 @@
   fetchurl,
   buildPackages,
   perl,
+  oqs-provider,
   coreutils,
   writeShellScript,
   makeBinaryWrapper,
@@ -20,6 +21,9 @@
   conf ? null,
   removeReferencesTo,
   testers,
+  providers ? [ ],
+  autoloadProviders ? false,
+  extraConfig,
 }:
 
 # Note: this package is used for bootstrapping fetchurl, and thus
@@ -264,7 +268,6 @@ let
                 --add-flags "rehash"
             ''
         + ''
-
           mkdir $dev
           mv $out/include $dev/
 
@@ -275,6 +278,30 @@ let
         ''
         + lib.optionalString (conf != null) ''
           cat ${conf} > $etc/etc/ssl/openssl.cnf
+        ''
+
+        + lib.concatStringsSep "\n" (
+          map
+            (provider: ''
+              cp --no-preserve=mode ${provider.package}/lib/ossl-modules/* "$out/lib/ossl-modules"
+
+              ${lib.optionalString (autoloadProviders) ''
+                sed -i '/^[[:space:]]*#/!s/\[provider_sect\]/[provider_sect]\n${provider.name} = ${provider.name}_sect/g' $etc/etc/ssl/openssl.cnf
+                echo "[${provider.name}_sect]" >> $etc/etc/ssl/openssl.cnf
+                echo "activate = 1" >> $etc/etc/ssl/openssl.cnf
+              ''}
+            '')
+
+            providers
+        )
+
+        + lib.optionalString (autoloadProviders) ''
+          # The default provider needs loading when there are other providers loaded by default
+          sed -i '/^[[:space:]]*#/!s/\[default_sect\]/[default_sect]\nactivate = 1/g' $etc/etc/ssl/openssl.cnf
+        ''
+
+        + ''
+          echo "${extraConfig}" >> $etc/etc/ssl/openssl.cnf
         '';
 
       postFixup =
@@ -309,9 +336,8 @@ let
         platforms = lib.platforms.all;
       } // extraMeta;
     });
-
 in
-{
+rec {
   # intended version "policy":
   # - 1.1 as long as some package exists, which does not build without it
   #   (tracking issue: https://github.com/NixOS/nixpkgs/issues/269713)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -10458,6 +10458,21 @@ with pkgs;
 
   openssl = openssl_3_3;
 
+  openssl_quantum = openssl.override {
+    providers = [
+      {
+        name = "oqsprovider";
+        package = oqs-provider;
+      }
+    ];
+    autoloadProviders = true;
+    # TLS groups should be post quantum by default
+    extraConfig = ''
+      [tls_system_default]
+      Groups = X25519MLKEM768:x25519_kyber768:x25519:P-521:prime256v1
+    '';
+  };
+
   openssl_legacy = openssl.override {
     conf = ../development/libraries/openssl/3.0/legacy.cnf;
   };