From 5ecfd546f66d4a68bd68537cc7efa9f174a24470 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 12:47:56 +0100
Subject: [PATCH] fix: we have to build our own openssl to use standard paths

---
 flake.nix                |   1 +
 lib/make-sysext.nix      |   2 +-
 pkgs/openssl/default.nix | 166 +++++++++++++++++++++++++++++++++++++++
 pkgs/rootfs/default.nix  |   1 +
 pkgs/rootfs/mkrootfs.sh  |   9 ++-
 5 files changed, 176 insertions(+), 3 deletions(-)
 create mode 100644 pkgs/openssl/default.nix

diff --git a/flake.nix b/flake.nix
index ed6a3e5..fc453e8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
           kernel = pkgs.callPackage ./pkgs/kernel { };
           glibc = pkgs.callPackage ./pkgs/glibc { };
           busybox = pkgs.callPackage ./pkgs/busybox { };
+          openssl = pkgs.callPackage ./pkgs/openssl { };
           kexec = pkgs.callPackage ./pkgs/kexec-tools { };
           lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
           tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index fb1a8f0..2541e3d 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -63,7 +63,7 @@ runCommand name
       cp -Pv "$srcfile" "$destfile"
 
       chmod 755 "$destfile"
-      patchelf --set-rpath /lib:/usr/lib:/ $destfile
+      patchelf --set-rpath /usr/lib $destfile
       patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
     }
 
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
new file mode 100644
index 0000000..137176d
--- /dev/null
+++ b/pkgs/openssl/default.nix
@@ -0,0 +1,166 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  perl,
+  makeBinaryWrapper,
+  withCryptodev ? false,
+  cryptodev,
+  withZlib ? false,
+  zlib,
+  enableSSL2 ? false,
+  enableSSL3 ? false,
+  enableMD2 ? false,
+  enableKTLS ? stdenv.hostPlatform.isLinux,
+  static ? stdenv.hostPlatform.isStatic,
+  removeReferencesTo,
+}:
+
+stdenv.mkDerivation rec {
+    pname = "openssl";
+    version = "3.4.1";
+    hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
+
+    src = fetchurl {
+      url = "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
+      hash = hash;
+    };
+
+    outputs = [ "out" ];
+
+    nativeBuildInputs =
+      lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
+      ++ [ perl ]
+      ++ lib.optionals static [ removeReferencesTo ];
+    buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
+
+    # TODO(@Ericson2314): Improve with mass rebuild
+    configurePlatforms = [ ];
+    configureScript =
+      {
+        armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
+        armv6l-linux = "./Configure linux-armv4 -march=armv6";
+        armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
+        x86_64-darwin = "./Configure darwin64-x86_64-cc";
+        aarch64-darwin = "./Configure darwin64-arm64-cc";
+        x86_64-linux = "./Configure linux-x86_64";
+        x86_64-solaris = "./Configure solaris64-x86_64-gcc";
+        powerpc64-linux = "./Configure linux-ppc64";
+        riscv32-linux = "./Configure ${
+          if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
+        }";
+        riscv64-linux = "./Configure linux64-riscv64";
+      }
+      .${stdenv.hostPlatform.system} or (
+        if stdenv.hostPlatform == stdenv.buildPlatform then
+          "./config"
+        else if stdenv.hostPlatform.isBSD then
+          if stdenv.hostPlatform.isx86_64 then
+            "./Configure BSD-x86_64"
+          else if stdenv.hostPlatform.isx86_32 then
+            "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
+          else
+            "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
+        else if stdenv.hostPlatform.isMinGW then
+          "./Configure mingw${
+            lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
+              toString stdenv.hostPlatform.parsed.cpu.bits
+            )
+          }"
+        else if stdenv.hostPlatform.isLinux then
+          if stdenv.hostPlatform.isx86_64 then
+            "./Configure linux-x86_64"
+          else if stdenv.hostPlatform.isMicroBlaze then
+            "./Configure linux-latomic"
+          else if stdenv.hostPlatform.isMips32 then
+            "./Configure linux-mips32"
+          else if stdenv.hostPlatform.isMips64n32 then
+            "./Configure linux-mips64"
+          else if stdenv.hostPlatform.isMips64n64 then
+            "./Configure linux64-mips64"
+          else
+            "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
+        else if stdenv.hostPlatform.isiOS then
+          "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
+        else
+          throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
+      );
+
+    # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
+    dontAddStaticConfigureFlags = true;
+
+    configureFlags =
+      [
+        "shared" # "shared" builds both shared and static libraries
+        "--prefix=/usr"
+        "--libdir=lib"
+        "--openssldir=/etc/ssl"
+      ]
+      ++ lib.optionals withCryptodev [
+        "-DHAVE_CRYPTODEV"
+        "-DUSE_CRYPTODEV_DIGESTS"
+      ]
+      ++ lib.optional enableMD2 "enable-md2"
+      ++ lib.optional enableSSL2 "enable-ssl2"
+      ++ lib.optional enableSSL3 "enable-ssl3"
+      # We select KTLS here instead of the configure-time detection (which we patch out).
+      # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
+      ++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
+      ++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
+      # OpenSSL needs a specific `no-shared` configure flag.
+      # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
+      # for a comprehensive list of configuration options.
+      ++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
+      ++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
+      # This introduces a reference to the CTLOG_FILE which is undesired when
+      # trying to build binaries statically.
+      ++ lib.optional static "no-ct"
+      ++ lib.optional withZlib "zlib"
+      # /dev/crypto support has been dropped in OpenBSD 5.7.
+      #
+      # OpenBSD's ports does this too,
+      # https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
+      #
+      # https://github.com/openssl/openssl/pull/10565 indicated the
+      # intent was that this would be configured properly automatically,
+      # but that doesn't appear to be the case.
+      ++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
+      ++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
+        # This is necessary in order to avoid openssl adding -march
+        # flags which ultimately conflict with those added by
+        # cc-wrapper.  Openssl assumes that it can scan CFLAGS to
+        # detect any -march flags, using this perl code:
+        #
+        #   && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
+        #
+        # The following bogus CFLAGS environment variable triggers the
+        # the code above, inhibiting `./Configure` from adding the
+        # conflicting flags.
+        "CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
+      ];
+
+    postPatch = ''
+      patchShebangs Configure
+    '';
+
+    installPhase = ''
+      make DESTDIR=$out install
+    '';
+
+    enableParallelBuilding = true;
+
+    meta = {
+      homepage = "https://www.openssl.org/";
+      changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
+      description = "Cryptographic library that implements the SSL and TLS protocols";
+      license = lib.licenses.openssl;
+      mainProgram = "openssl";
+      maintainers = with lib.maintainers; [ thillux ] ++ lib.teams.stridtech.members;
+      pkgConfigModules = [
+        "libcrypto"
+        "libssl"
+        "openssl"
+      ];
+      platforms = lib.platforms.all;
+    };
+}
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index 4e64ddd..c7f0dba 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -30,6 +30,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   tpm2Libs = patosPkgs.tpm2-tss.out;
   kexec = patosPkgs.kexec.out;
   lvm2 = patosPkgs.lvm2.out;
+  openssl = patosPkgs.openssl.out;
 
   builder = ./mkrootfs.sh;
 })
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index ad227ad..14f4dac 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -115,6 +115,10 @@ EOF
 ### install PatOS glibc
 cp -P $glibcPatos/lib/*.so* $out/usr/lib/
 
+### install openssl
+cp -P $openssl/usr/lib/*.so* $out/usr/lib/
+cp -Pr $openssl/etc/ssl $out/etc/
+
 ### install kernel modules
 cp -r $kernel/lib/modules $out/usr/lib/
 find $out/usr/lib/modules -type d -exec chmod 755 {} \;
@@ -149,7 +153,8 @@ cp -P $kmodBin/bin/* $out/usr/bin
 cp -P $libbpf/lib/libbpf* $out/usr/lib
 
 ### install ca cert bundle
-cp -Pr $cacert/etc/ssl $out/etc/
+chmod 755 $out/etc/ssl
+cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
 
 # setup default files
 $systemd/usr/bin/systemd-hwdb --root=$out --usr update
@@ -166,7 +171,7 @@ rm -rf $out/usr/lib/pkgconfig
 
 ### Find and install all shared libs
 find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
-  grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
+  grep -v systemd | grep -v glibc | grep -v openssl | grep -v tpm2 | grep -v devmapper | grep -v not | \
   sort -u | xargs -I {} cp {} $out/usr/lib/
 
 find $out -type f -executable -exec chmod 755 {} \;