From 10858f46ccdc90bb61f8b05f467a75d53368a0e6 Mon Sep 17 00:00:00 2001
From: Siddharth <siddharth.060605@gmail.com>
Date: Sat, 11 Jan 2025 12:01:36 -0600
Subject: [PATCH] openssl_quantum: init at 3.3.2

Addded the ability to allow for providers with openssl. Added openssl_quantum using oqs-provider.
---
 .../development/libraries/openssl/default.nix | 28 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               | 15 ++++++++++
 2 files changed, 43 insertions(+)

diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index f0cf68f8b6aa6..183e1875a9963 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -4,6 +4,7 @@
   fetchurl,
   buildPackages,
   perl,
+  oqs-provider,
   coreutils,
   writeShellScript,
   makeBinaryWrapper,
@@ -20,6 +21,9 @@
   conf ? null,
   removeReferencesTo,
   testers,
+  providers ? [ ],
+  autoloadProviders ? false,
+  extraConfig ? null,
 }:
 
 # Note: this package is used for bootstrapping fetchurl, and thus
@@ -275,6 +279,30 @@ let
         ''
         + lib.optionalString (conf != null) ''
           cat ${conf} > $etc/etc/ssl/openssl.cnf
+        ''
+
+        + lib.concatStringsSep "\n" (
+          map
+            (provider: ''
+              cp --no-preserve=mode ${provider.package}/lib/ossl-modules/* "$out/lib/ossl-modules"
+
+              ${lib.optionalString (autoloadProviders) ''
+                sed -i '/^[[:space:]]*#/!s/\[provider_sect\]/[provider_sect]\n${provider.name} = ${provider.name}_sect/g' $etc/etc/ssl/openssl.cnf
+                echo "[${provider.name}_sect]" >> $etc/etc/ssl/openssl.cnf
+                echo "activate = 1" >> $etc/etc/ssl/openssl.cnf
+              ''}
+            '')
+
+            providers
+        )
+
+        + lib.optionalString (autoloadProviders) ''
+          # The default provider needs loading when there are other providers loaded by default
+          sed -i '/^[[:space:]]*#/!s/\[default_sect\]/[default_sect]\nactivate = 1/g' $etc/etc/ssl/openssl.cnf
+        ''
+
+        + lib.optionalString (extraConfig != null) ''
+          echo "${extraConfig}" >> $etc/etc/ssl/openssl.cnf
         '';
 
       postFixup =
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 643a1e65738ae..0c8fb30a76563 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10458,6 +10458,21 @@ with pkgs;
 
   openssl = openssl_3_3;
 
+  openssl_quantum = openssl.override {
+    providers = [
+      {
+        name = "oqsprovider";
+        package = pkgs.oqs-provider;
+      }
+    ];
+    autoloadProviders = true;
+    # TLS groups should be post quantum by default
+    extraConfig = ''
+      [tls_system_default]
+      Groups = X25519MLKEM768:x25519_kyber768:x25519:P-521:prime256v1
+    '';
+  };
+
   openssl_legacy = openssl.override {
     conf = ../development/libraries/openssl/3.0/legacy.cnf;
   };